[Declude.JunkMail] Downloading the last all_list.dat to freshen your COUNTRY tests
You'll want to fetch this zipped version: https://www.declude.com/version/extras/IP/all_list.zip Inside is the all_list.dat dated April 7th, 2013. Make a backup copy of your existing all_list.dat, and then overwrite it with the all_list.dat inside that zip file download. Andrew. -Original Message- From: Randy Armbrecht [mailto:ra...@globalweb.us] Sent: Thursday, April 18, 2013 7:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? I was able to download it from my Declude site login; couldn't download it from the interim site Sincerely, Randy A. -Original Message- From: Dave Beckstrom [mailto:db...@atving.com] Sent: Thursday, April 18, 2013 9:51 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Was anyone able to download the all_list.dat file from the interim directory that David posted? Everything else downloaded for me except that file. -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 8:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Filters yes all_list.dat working on that. -Original Message- From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, April 18, 2013 9:14 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? David - with your support extended to the community, will you be able to offer maintenance of the all_list.dat as well as the filters? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 1:02 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Not that I can think of, the real advantage is it shuts off all internal validations, AVG which has already stopped, SNF and CT which will stop anytime soon. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 1:43 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Thanks David, So, OTHER than Sniffer, any OTHER advantages of using the HOSTS trick vs. the Bypass key? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 1:09 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? If internal SNF is still ON then it can conflict with external Message Sniffer by grabbing the port which SNF uses. By using our fix will ensure internal SNF is turned OFF. If using the bypass key has everything OFF then that is fine too. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? So - is there any advantage of using the hosts file trick (to invalidate the license server IP address) http://mailsbestfriend.com/declude-fix vs. using the special bypass license code? Does one enable more functions that the other? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 12:31 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Yes Internal Sniffer is no longer a valid option. Need to switch to external. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:06 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Uh - but with that code, the internal SNF is turned off? So one has to configure Sniffer has an external test with a separate Sniffer license code? -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 -Message d'origine- De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail
RE: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing
If you upgraded to Declude 4.11.09 to avoid the AVG licence issue, you’ll find that it was a bandaid, and that build’s usefulness also expired contemporaneously with David and Linda’s employee status, on January 31, 2013. C:\IMailstrings decludeproc.exe| grep LicBeg LicBeg, Ver=1.1, Name=Declude, Exp=2013-01-31, +Av, Sign=blahblahblah You still received updates for a grace period (the files with zero bytes are normal for the Declude implementation of AVG): C:\IMaildir C:\IMail\declude\scanners\AVG\db Volume in drive C has no label. Volume Serial Number is 9471-8A74 Directory of C:\IMail\declude\scanners\AVG\db 03/22/2013 07:47 AMDIR . 03/22/2013 07:47 AMDIR .. 03/19/2013 02:44 PM 0 avi7.avg 03/19/2013 02:44 PM 0 microavi.avg 03/19/2013 02:44 PM 0 miniavi.avg 03/22/2013 07:47 AM71,002,023 incavi.avm 4 File(s) 71,002,023 bytes 2 Dir(s) 11,036,254,208 bytes free C:\IMail This might be addressed in the latest (last?) build which you can obtain through the interim downloads website (log into your client support site for the link). If I remember correctly, that build is on 2013-03-15 with v4.12.02 that specifically cites in the change log ReadMe.txt: 4.12.02 == Fix: update AVG Key 4.12.01 == Fix: AVG Bug 4.12.00 == Fix: update AVG Key Which (I think) also fixes the “ERROR: Failed Initialize AVG 183” being spammed all over your c:\imail\declude\diags.txt Andrew. From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Friday, January 11, 2013 7:33 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing Thanks Dave, will do. On Fri, Jan 11, 2013 at 10:25 AM, David Barker dbar...@declude.com wrote: Dean, There is currently an issue with the AVG that we are currently working on. As far as backup in the \proc directory and the 0 Kb log that seems like a different issue. Can you please contact supp...@declude.com for assistance. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com mailto:dbar...@declude.com From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Friday, January 11, 2013 10:18 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing The subject says it all. This morning, declude stated to have high cpu usage, the log file is 0k and messages are backing up in the proc directory. I looked in the diags.txt and I see this message: ERROR: Failed Initialize AVG 183Daisy Chain smtp32.exe I was running 4.11 and upgraded to 4.11.09 and still have the same results. Any thoughts? -- --- Dean M. Lawrence INTERNET DATA TECHNOLOGY p // 888.438.4381 ext. 701 tel:888.438.4381%20ext.%20701 w // www.idatatech.com f // www.facebook.com/idatatech t // www.twitter.com/idatatech Social Marketing | SEO | Design | Internet Development --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- Dean M. Lawrence INTERNET DATA TECHNOLOGY p // 888.438.4381 ext. 701 w // www.idatatech.com f // www.facebook.com/idatatech t // www.twitter.com/idatatech Social Marketing | SEO | Design | Internet Development --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est éventuellement joint peuvent contenir de l’information confidentielle ou exclusive. L’accès à cette information par quiconque autre que le destinataire désigné en est donc interdit. Les personnes ou les entités non autorisées doivent respecter la confidentialité
RE: [Declude.JunkMail] Whois Tests?
What we really need is a test that would do a whois... and that would identify newly registered domains. Dave, I'm not sure what further you're after, as you specifically mentioned spameatingmonkeys.com and one of their tests seems to fit your bill exactly: http://spameatingmonkey.com/lists.html#SEM-FRESH10 Similarly, the red list at URIBL, i.e. http://www.uribl.com/about.shtml uses freshness as one of the indicators. Andrew. -Original Message- From: Sanford Whiteman [mailto:sa...@figureone.com] Sent: Friday, March 22, 2013 7:14 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Whois Tests? That is/was Day Old Bread's goal. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est éventuellement joint peuvent contenir de l’information confidentielle ou exclusive. L’accès à cette information par quiconque autre que le destinataire désigné en est donc interdit. Les personnes ou les entités non autorisées doivent respecter la confidentialité de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entité non autorisée est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et le détruire. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] why have spam scores jumped?
rejection is really directed at those who use high volume public DNS servers. I'm not really sure how URIBL even knows which DNS server I use, but that's the claim. Since last year, I have had my SM server configured to use the Comcast national DNS servers (Comcast being my upstream provider). Since that's supposed to be the problem, I switched to our in-house public DNS server, but that didn't help either. Then I tried setting up a private DNS server on the mail server itself and still couldn't get it to work. 6. Then I was told that I need to turn off recursion on the DNS server to be considered acceptable to URIBL. Again, I don't know why. The problem is that I use the MS DNS server (Win 2008) and when you turn off recursion, it forced off forwarding as well. There are many good reasons for not wanting to turn off forwarding (in fact, MS doesn't recommend it). So now I'm stuck between a rock and a hard place. 7. I tried writing to the URIBL abuse administrator but got no response and couldn't find any other contact information. Anyone able to correct or illuminate me? Thanks, Ben - Original Message - From: Colbeck, Andrew mailto:acolb...@bentallkennedy.com To: Declude.JunkMail@declude.com Sent: Wednesday, March 06, 2013 3:27 PM Subject: RE: [Declude.JunkMail] why have spam scores jumped? Ben, check the archive website here http://www.mail-archive.com/declude.junkmail@declude.com/ for the mail you’ve missed. Andrew. From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, March 05, 2013 10:10 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Thanks for the heads-up, but I didn’t and still don’t see either my original email or the responses. I just took a look at it via the web interface because sometime Microsoft Live Mail (like Outlook Express before it) will not show some messages where it doesn’t like the header, but I just don’t see either my message or the responses. I’m assuming what happened was exactly what I was asking about – those messages were given him spam scores and deleted. I don’t suppose you could resend those replies to the list? Thanks, Ben From: Randy Armbrecht mailto:ra...@globalweb.us Sent: Tuesday, March 05, 2013 11:12 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] why have spam scores jumped? Your Friday post did show up and already has 2 or 3 responses to it Sincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 x112 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL, Ethernet and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, March 05, 2013 1:52 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] why have spam scores jumped? (I sent this message on Friday but it never showed up, so I thought I’d try again.) Hi, I don't know if anyone is still here but I'd like some insights into some strange anti-spam behavior. We have latest SmarterMail and Declude, as well as Sniffer. Over the last few days I noticed a significant drop in email messages. Upon further investigation, I found that messages were being givn much higher spam scores than in the past, with the result that they get classified as spam or just outright deleted. Checking the headers, however, I don't see why the scores are coming in so high. Below are a few examples. Does anyone see why the spam scores come out so high? Thanks, Ben *** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2998-c X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 195938010.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:3, Declude: 0 X-SmarterMail-TotalSpamWeight: 15
RE: [Declude.JunkMail] why have spam scores jumped?
Ben, check the archive website here http://www.mail-archive.com/declude.junkmail@declude.com/ for the mail you’ve missed. Andrew. From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, March 05, 2013 10:10 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Thanks for the heads-up, but I didn’t and still don’t see either my original email or the responses. I just took a look at it via the web interface because sometime Microsoft Live Mail (like Outlook Express before it) will not show some messages where it doesn’t like the header, but I just don’t see either my message or the responses. I’m assuming what happened was exactly what I was asking about – those messages were given him spam scores and deleted. I don’t suppose you could resend those replies to the list? Thanks, Ben From: Randy Armbrecht mailto:ra...@globalweb.us Sent: Tuesday, March 05, 2013 11:12 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] why have spam scores jumped? Your Friday post did show up and already has 2 or 3 responses to it Sincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 x112 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL, Ethernet and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, March 05, 2013 1:52 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] why have spam scores jumped? (I sent this message on Friday but it never showed up, so I thought I’d try again.) Hi, I don't know if anyone is still here but I'd like some insights into some strange anti-spam behavior. We have latest SmarterMail and Declude, as well as Sniffer. Over the last few days I noticed a significant drop in email messages. Upon further investigation, I found that messages were being givn much higher spam scores than in the past, with the result that they get classified as spam or just outright deleted. Checking the headers, however, I don't see why the scores are coming in so high. Below are a few examples. Does anyone see why the spam scores come out so high? Thanks, Ben *** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2998-c X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 195938010.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:3, Declude: 0 X-SmarterMail-TotalSpamWeight: 15 * -MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487572.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:7, Declude: -3 X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH X-SmarterMail-TotalSpamWeight: 28 ** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487567.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, URIBL:10, Declude: -3 X-SmarterMail-TotalSpamWeight: 41 ** Just for comparison, here is an email from the same source from Tuesday (and very typical of past headers): X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-27512-c X-Declude-Sender: gha...@ghrlawyers.com
RE: [Declude.JunkMail] Android Yahoo Mail app spam
I took a further look this morning, I have 116 samples from 113 unique IP addresses from Jun 30 through Jul 03 inclusive. These really are from Yahoo! and are digitally signed. The Message-ID really are unique as they should be, and they should be constructed by a Yahoo! server, possibly based on information the client sends them. Linguistically, the account name in the MAILFROM doesn't match the region that the IP addresses state are the real sender. The IP addresses are from all over the map. Some of them are consumer type Internet access connections, some are corporate. Some of them are listed as zombie hosts, e.g. with the Cutwail bot. So, if the Android app was sending it, we'd expect to see some connections from the IP address space of telephony providers, but I don't have any in my sample size. My bet: a spammer looked at the traffic from the Yahoo! app and realized he could abuse their web service that listens for traffic from their app without having to use the app at all. He then used legitimate/stolen Yahoo! mailbox credentials on his usual array of fresh and stale bots on Windows computers to send the spam via Yahoo! webmail service, while posing as their Android app. He may not even have had to do anything except know to use valid Yahoo! credentials while sending to specific webmail hosts. The footer may have been added by the spammer as cover, or may have been automatically inserted by a Yahoo! server for advertising. That's my theory, and you're welcome to it. Andrew 8) From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Friday, July 06, 2012 10:55 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam After review of my samples, the message ID is not consistent so it would be a poor criteria. I've added a body filter to add weight for the yahoo via android text at the end of each message, but not enough to block by itself and let the rest of the rules add weight to quarantine. This seems to be working well enough at the moment. Andrew's assessment questioning the author of the article appears to be dead on. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com From: David Barker [mailto:dbar...@declude.com] Sent: Friday, July 06, 2012 11:51 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam To clarify the message ID is always exactly the same or is similar too ? Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 4:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting- spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-b otnet.aspx . First, each message closes with the signature Sent from Yahoo! Mail on Android. Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We're seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees
RE: [Declude.JunkMail] Android Yahoo Mail app spam
If you know the header contains an exact string on a single line: HEADERS 1 PCRE (?m:^Message-ID:blahblahblah) Set the score weight as you like. If you want to do a case-insensitive search, change ?m: to ?im: If the text inside the blahblahblah would match regexp reserved strings, you should/must escape them with backslashes. In this case: HEADERS 1 PCRE (?m:^Message-ID: 1341147286\.19774\.androidMobile@web140302\.mail\.bf1\.yahoo\.com) Keep in mind that if Terry Zink reported this correctly, then these are legitimate email clients that are being abused by a trojan on those handhelds, so you might be throwing out the baby with the bathwater and blocking some legitimate mail as spam just because they came from a certain platform. On the other hand, if these are legitimate clients, the numeric part of that Message-ID must be unique per message, which makes it likely that Terry Zink is wrong, and that this is a fake header and footer and therefore a) safe to block because only spam is using it, and b) the spammer will soon change this signature and scanning for it it will be a waste of your CPU time. Andrew. From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 1:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting- spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-b otnet.aspx . First, each message closes with the signature Sent from Yahoo! Mail on Android. Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We're seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees doivent respecter la confidentialite de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entite non autorisee est strictement interdite. Si vous avez recu ce message par erreur, veuillez nous en aviser immediatement et le detruire. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE help
I don't see anything wrong there, Scott.
When I run it through The Regex Coach, I did have to remove the spaces
at the end of the line in your email and then it did work. So, make sure
there is no whitespace at the end of the line in your test file? Make
sure the filter file really is running and not being END'ed before that
line is encountered?
Andrew.
From: Scott Fisher [mailto:sfis...@farmprogress.com]
Sent: Wednesday, November 16, 2011 9:49 AM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] PCRE help
Subject: [Possible SPAM]=?KOI8-U?B?y8/OxqbExc7DpsrOpiDVx8/EyQ==?=
I am trying to catch the a spam with above subject listed with the below
line:
ANYWHERE 25 PCRE
(?i:((charset|content|lang)=.{0,2}koi8-(r|t|u|ru))|(=\?koi8-(r|t|u|ru)\?
[bq]\?))
Can anyone see what I'm doing wrong?
Scott Fisher | IT Director
FARM PROGRESS COMPANIES | 255 38th Avenue, Suite P | St. Charles, IL
60174-5410
630/462-2323 | Fax 630/462-2957 | sfis...@farmprogress.com
mailto:sfis...@farmprogress.com
www.FarmProgress.com http://www.farmprogress.com/
This email message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply email and destroy all copies of the original message.
Although Farm Progress Companies has taken reasonable precautions to
ensure no viruses are present in this email, the company cannot accept
responsibility for any loss or damage arising from the use of this email
or attachments.
--- This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and type
unsubscribe Declude.JunkMail. The archives can be found at
http://www.mail-archive.com.
This message (and any associated files) may contain confidential, proprietary
and/or privileged material and access to these materials by anyone other than
the intended recipient is unauthorized. Unauthorized recipients are required to
maintain confidentiality. Any review, retransmission, dissemination or other
use of these materials by persons or entities other than the intended recipient
is prohibited and may be unlawful. If you have received this message in error,
please notify us immediately and destroy the original.
Ce message et tout document qui y est eventuellement joint peuvent contenir de
l'information confidentielle ou exclusive. L'acces a cette information par
quiconque autre que le destinataire designe en est donc interdit. Les personnes
ou les entites non autorisees doivent respecter la confidentialite de cette
information. La lecture, la retransmission, la communication ou toute autre
utilisation de cette information par une personne ou une entite non autorisee
est strictement interdite. Si vous avez recu ce message par erreur, veuillez
nous en aviser immediatement et le detruire.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Outlook.jpgimage001.gif
RE: [Declude.JunkMail] Solid State Drives
Don, if it's the I/O speed of an SSD that catches your interest, and have RAM to spare (and some CPU), you could try a free virtual hard drive (up to 650 MB) from StarWind: http://www.starwindsoftware.com/high-performance-ram-disk-emulator This would be an easier experiment than installing an SSD. This is a simple emulator, so no fancy features like a shadow backed disk to save the contents on shutdown. With the CDROM sized disk limit, make sure that your experiment doesn't run so long that you run out of disk space. FWIW, modern versions of SSD *should* have lots of lifetime without worry about their maximum number of writes, but to be confident, pay the extra to get an enterprise model. NB: I've tried it and liked it. I first heard about it on this list from Sanford Whiteman; I haven't tried it as part of the free iSCSI initiator he actually recommended http://www.starwindsoftware.com/initiators e.g. Gary, I think I might have spaced on a similar question you asked a while back. I recommend Starwind Software's RAM disk -- the one that comes with their iSCSI initiator (you don't actually need any iSCSI SAN in place). We use it on 2003 + 2008. -- Sandy Andrew. -Original Message- From: decl...@mail.net1media.com [mailto:decl...@mail.net1media.com] Sent: Friday, September 23, 2011 3:25 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Solid State Drives Hi All, Has anyone attempted to place the \IMail\Spool directory on a solid state hard drive? What are your experiences? Are there any reason not to do this? Thanks for the input, Don --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees doivent respecter la confidentialite de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entite non autorisee est strictement interdite. Si vous avez recu ce message par erreur, veuillez nous en aviser immediatement et le detruire. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AOL Header Test
Rick, you have a space between the colon and the YES and, if I remember correctly, AOL does not put a space there. #Email from AOL which they believe is spam HEADERS 0 CONTAINS X-SPAM-FLAG:YES On the other hand, there is a case-sensitive flavour that comes out of SpamAssassin, and AOL provides this format at their Postmaster FAQ page for mail that people send to AOL accounts: #Email from a SpamAssassin implementation that belives the outbound mail was spam HEADERS 0 CONTAINS X-Spam-Flag: YES http://postmaster.aol.com/Postmaster.FAQ.php Andrew. From: Rick Davidson [mailto:rdavid...@nat.com] Sent: Tuesday, September 06, 2011 3:06 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] AOL Header Test Hello, I have a combo test for scrutinizing AOL and the large webmail providers, I am trying to trigger on an AOL X header with this HEADERS 0 CONTAINS X-SPAM-FLAG: YES any idea why this wouldn't hit? -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click here mailto:rdavid...@nat.com?subject=UNSUBSCRIBEbcc=unsubscr...@nat.com . --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees doivent respecter la confidentialite de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entite non autorisee est strictement interdite. Si vous avez recu ce message par erreur, veuillez nous en aviser immediatement et le detruire. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] error message in declude log
Sometimes a cigar is just a cigar.
Look at the order of your lines. You have a duplicate pair of weight4
lines between your 7 and 8 pair.
Andrew 8)
-Original Message-
From: IMail Admin [mailto:imailad...@bcwebhost.net]
Sent: Wednesday, August 17, 2011 4:56 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] error message in declude log
Hi,
I'm getting the following lines in my log file:
08/17/2011 16:33:31.218 q4fc823f5c012.smd Warning: misconfiguration
in following line in configuration file ('weight' is not an ACTION). May
be a duplicate test definition?
08/17/2011 16:33:31.218 q4fc823f5c012.smd WEIGHT4 weight x x 4 0
08/17/2011 16:33:31.218 q4fc823f5c012.smd Warning: misconfiguration
in following line in configuration file ('weightrange' is not an
ACTION). Maybe a duplicate test definition?
08/17/2011 16:33:31.218 q4fc823f5c012.smd WEIGHT4r weightrange x x 4
8
They seem to only cover tests 4 and 4r, but I actually have a whole
series
of these:
#WEIGHT10 weight x x 10 0
#WEIGHT14 weight x x 14 0
#WEIGHT20 weight x x 20 0
#WEIGHT30 weight x x 30 0
WEIGHT5 weight x x 5 0
WEIGHT5r weightrange x x 5 9
WEIGHT10 weight x x 10 0
WEIGHT10r weightrange x x 10 14
WEIGHT15 weight x x 15 0
WEIGHT15r weightrange x x 15 19
WEIGHT20 weight x x 20 0
WEIGHT20r weight x x 20 29
WEIGHT30 weight x x 30 0
WEIGHT30r weight x x 30 39
WEIGHT2 weight x x 2 0
WEIGHT2r weightrange x x 2 4
WEIGHT3 weight x x 3 0
WEIGHT3r weightrange x x 3 6
WEIGHT4 weight x x 4 0
WEIGHT4r weightrange x x 4 8
WEIGHT6 weight x x 6 0
WEIGHT6r weightrange x x 6 9
WEIGHT7 weight x x 7 0
WEIGHT7r weightrange x x 7 14
WEIGHT4 weight x x 4 0
WEIGHT4r weightrange x x 4 8
WEIGHT8 weight x x 8 0
WEIGHT8r weightrange x x 8 12
WEIGHT9 weight x x 9 0
WEIGHT9r weightrange x x 9 12
WEIGHT12 weight x x 12 0
WEIGHT12r weightrange x x 12 15
I didn't have this problem before. Any idea what I screwed up?
Thanks,
Ben
(global.cfg attached)
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
This message (and any associated files) may contain confidential, proprietary
and/or privileged material and access to these materials by anyone other than
the intended recipient is unauthorized. Unauthorized recipients are required to
maintain confidentiality. Any review, retransmission, dissemination or other
use of these materials by persons or entities other than the intended recipient
is prohibited and may be unlawful. If you have received this message in error,
please notify us immediately and destroy the original.
Ce message et tout document qui y est eventuellement joint peuvent contenir de
l'information confidentielle ou exclusive. L'acces a cette information par
quiconque autre que le destinataire designe en est donc interdit. Les personnes
ou les entites non autorisees doivent respecter la confidentialite de cette
information. La lecture, la retransmission, la communication ou toute autre
utilisation de cette information par une personne ou une entite non autorisee
est strictement interdite. Si vous avez recu ce message par erreur, veuillez
nous en aviser immediatement et le detruire.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] regular expressions and IS
Rich, PCRE searches against BODY can be very expensive, particularly when you
do a .* expression, which will try to match very long strings.
You can give your CPU a break by changing .* to a judicious text size
restriction e.g. .{5,100}
body 0 PCRE (?i:^http\:\/\/.{5,100}\.(html|htm|php)$)
Andrew 8)
-Original Message-
From: Rick Davidson [mailto:rdavid...@nat.com]
Sent: Tuesday, August 09, 2011 7:51 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] regular expressions and IS
just looking for text emails with nothing more than a url in the body
David answered my question, I was over thinking it, by leading with the ^ and
ending with the $ that makes the RegEx an IS statement
body 0 PCRE (?i:^http\:\/\/.*\.(html|htm|php)$)
its working
--
Rick
-Original Message-
From: Nick Hayer [mailto:n...@madriveraccess.com]
Sent: Tuesday, August 09, 2011 6:12 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] regular expressions and IS
BODY. CONTAINS. Bla bla
Is that what you are looking for?
-Nick
On Aug 9, 2011, at 3:26 PM, David Barker dbar...@declude.com wrote:
The expression is the IS
Can you post a few examples of what you trying to catch ?
-Original Message-
From: Rick Davidson [mailto:rdavid...@nat.com]
Sent: Tuesday, August 09, 2011 2:34 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] regular expressions and IS
I am working on a combo filter to catch the aol/hotmail/yahoo url spam
is there a way to use a regular expression with IS
body 0 IS/PCRE (?i:^http\:\/\/.*\.(html|htm|php)$)
any suggestions welcome
--
Rick
CONFIDENTIALITY NOTICE
This e-mail message and any attachments contain confidential and/or
privileged information for the sole use of the intended recipient. If you
are not the intended recipient, you may not read, disseminate, distribute or
copy this e-mail message or any attachments. Please notify the sender
immediately by reply e-mail if you received this e-mail message by mistake
and delete this e-mail message and any attachments from your system. E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or
contain viruses. The sender, therefore, does not accept liability for any
errors or omissions in the contents of this e-mail message or any
attachments, which arise as a result of e-mail transmission. If verification
is required, please request a hard-copy version.
-. .- -
You have received this e-mail due to a past or current transaction or as a
result of our efforts to keep you in touch with current developments
affecting your industry. If you wish to unsubscribe from any future general
information mailings, please click the 'Reply' button and add the word
'UNSUBSCRIBE' to the subject of your response.
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to imail...@declude.com, and type unsubscribe
Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
You have received this e-mail due to a past or current transaction or as a
result of our efforts to keep you in touch with current developments affecting
your industry. If you wish to unsubscribe from any future general information
mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the
subject of your response.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
This message (and any associated files) may contain confidential, proprietary
and/or privileged material and access to these materials by anyone other than
the intended recipient is unauthorized. Unauthorized recipients are required to
maintain confidentiality. Any review, retransmission, dissemination or other
use of these materials by persons or entities other than the intended recipient
is prohibited and may be unlawful. If you have received this message in error,
please notify us immediately and destroy the original.
Ce message et tout document qui y est éventuellement joint peuvent contenir de
l’information confidentielle ou exclusive. L’accès à cette information par
quiconque autre que le destinataire désigné en est donc interdit. Les personnes
ou les entités non autorisées doivent respecter
RE: [Declude.JunkMail] Blocking on no REV DNS?
For what it's worth, I still test against REVDNS and it's never been worth a HOLD action all by itself. I score it at 25% of my HOLD weight threshold. Reverse DNS lookups can go through a lot of lookups; if their DNS is too slow and doesn't respond, you will inadvertently score against them unfairly. Worse, if your DNS is slow or your Internet tube is clogged, you'll inadvertently score against everybody. I keep a single file full of counterweight lines (instead of whitelisting) and the comments are inconsistent, but a quick check tells me that 4% of the comments I made included a mention that the sender triggered REVDNS. If you want to get fancy, look into using or making combo tests where you add weight based on tests being triggered. Andrew from Vancouver. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, February 14, 2011 6:22 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blocking on no REV DNS? Years ago it was recommended not to block mail on a missing reverse DNS because many legitimate mail servers were mis-configured. We know services like AOL block on missing DNS. Just wondering, do you block on missing REV DNS? If not, do you at least add weight? I'm getting to the point where if a mail server doesn't have a reverse DNS then I'm thinking the heck with them --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. We are pleased to announce that Bentall LP and Kennedy Associates Real Estate Counsel, LP joined forces on December 1, 2010. To learn more, visit: www.bentallkennedy.com Nous avons le plaisir de vous annoncer que Bentall LP et Kennedy Associates Real Estate Counsel LP se sont associees le 1er decembre 2010. Pour en savoir plus, rendez-vous a www.bentallkennedy.com This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees doivent respecter la confidentialite de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entite non autorisee est strictement interdite. Si vous avez recu ce message par erreur, veuillez nous en aviser immediatement et le detruire. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter for this?
Dave, the target IP address is a really old spammer block according to SpamHaus: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL79159 http://www.spamhaus.org/sbl/sbl.lasso?query=SBL79123 Do you have a URL scanner? It should have picked off this one sample. Besides the Zero Day component of Declude, there's a de facto add-on that's used by the denizens of this list, but I forget what it's called. FWIW, no, I'm not seeing this particular domain or destination IP in the last 45 days. Andrew. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, February 14, 2011 2:07 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Filter for this? Anyone put together a filter for this? a href=http://en.marriedcomb.com/LsyRi_xEczPyAVLP-6RXIfBHyQKlpLloCVCdRiUQ j80C BkFIRsplDbsWp-UntnvcapomnOB34oekSnZlNAVa7SoEUKZSJf38K79Yq79zOT6qBNCTYzL5 B1Gh PqJ5DauCbtWAubdB8kPQoicfAlkPQyyuRB1333A1YAWUvJhpVPksIVa9IVTj5SmfPzJBU23B tNGm LCRUhh-f7TYUkYiSFW1IMFkxyEq98JftNph7Um4mcdzmcpYAh62VI94SDrIhDY8g2Zo-QorZ UUZW rwG41Sj6iKchOqqfHLTYKLmL7s5oJBjZ7EZSuBU7CFX8LvTo0pB6qyyUQ4mp35lBXcOsZ1zH mnGL Bl_htJf1VGFa4gsO7P6mFVZB3QNk3TPUYWaoBR5AtFjxfs3mv11TZ60J6w Getting dozens of these a day coming through. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. We are pleased to announce that Bentall LP and Kennedy Associates Real Estate Counsel, LP joined forces on December 1, 2010. To learn more, visit: www.bentallkennedy.com Nous avons le plaisir de vous annoncer que Bentall LP et Kennedy Associates Real Estate Counsel LP se sont associees le 1er decembre 2010. Pour en savoir plus, rendez-vous a www.bentallkennedy.com This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees doivent respecter la confidentialite de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entite non autorisee est strictement interdite. Si vous avez recu ce message par erreur, veuillez nous en aviser immediatement et le detruire. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
Harry, the snippet I included was the literal text, you don't have to make any substitutions. To avoid email formatting and readability issues, I am now attaching that as a text file. I hope that helps. Andrew. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry Vanderzand Sent: Thursday, December 09, 2010 11:00 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers Have been following this and tried to use it. However now I am not sure I did it right. Do I Leave X-originating-IP in the code Or do I have to substitute and IP or something else? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: December-09-10 1:49 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers fyi - the 'X-Originating-IP as well as 'X-AOL-IP are the senders ip - they have no relation to yahoo or aol. What you can do with these ip's - which is what I do - is look up 'um up in blacklists.. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Colbeck, Andrew acolb...@bentallkennedy.com Sent: Wednesday, December 08, 2010 5:52 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers Thanks, Pete and Scott. As always, Pete, that change worked as advertised. I've put in a slight tweak as well as Scott's AOL suggestion, I pre-pended a period to qualify the domains tighter (I also left in the examples, that's my own practice for self-documentation) source !-- header name='X-Use-This-Source:' received='mixedsource.com [' ordinal='0' / -- !-- header name='X-Originating-IP:' received='hotmail.com ['ordinal='0' / -- header name='X-Originating-IP:' received='.hotmail.com ['ordinal='0' / header name='X-AOL-IP:' received='.aol.com [' ordinal='0' / /source I sent myself three messages from my own Hotmail account, and then checked my own firewall's IP address in my local GBU: CD \messagesniffer SNFClient.exe -test 1.2.3.4 GBUdb Record for 1.2.3.4 Type Flag: ugly Bad Count: 0 Good Count: 3 Probability: -1 Confidence: 0.113212 Range: normal Code: 0 Hopefully, others will choose to also pay in to the system, and regardless, I'll see less Hotmail and AOL spam from known zombie IP addresses! Andrew 8) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Monday, December 06, 2010 1:18 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers I made this change immediately. Like Andrew I've always wondered why the Hotmail header hasn't been targeted by someone. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Monday, December 06, 2010 2:31 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers On 12/6/2010 2:47 PM, Colbeck, Andrew wrote: I have the same position as Scott. I find that the MessageSniffer product from ARM Research is the most reliable test snip/ Hotmail in particular would be less effective for the bad guys if I had an antispam tool that would determine from the headers that the sender was from Hotmail (or others) and then check the X-Originating-IP: [111.222.333.444] snip/ I've suggested it before but vendors are, quite reasonably, leery of building into their product a feature that is specific to a few providers while being prone to false positives. Actually, if I may, Message Sniffer has precisely that feature built into GBUdb training. Specifically, you can tell Message Sniffer to identify the source IP for the message based on the presence of a specific header. This feature was designed specifically for hotmail and other systems that provide
RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
Addendum: You do not need to restart the MessageSniffer service after you modify the .xml file, the change is automatically picked up. You can spot this in your log when there is a line that says --RELOADING--. Andrew. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck, Andrew Sent: Thursday, December 09, 2010 12:26 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers Harry, the snippet I included was the literal text, you don't have to make any substitutions. To avoid email formatting and readability issues, I am now attaching that as a text file. I hope that helps. Andrew. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry Vanderzand Sent: Thursday, December 09, 2010 11:00 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers Have been following this and tried to use it. However now I am not sure I did it right. Do I Leave X-originating-IP in the code Or do I have to substitute and IP or something else? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: December-09-10 1:49 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers fyi - the 'X-Originating-IP as well as 'X-AOL-IP are the senders ip - they have no relation to yahoo or aol. What you can do with these ip's - which is what I do - is look up 'um up in blacklists.. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Colbeck, Andrew acolb...@bentallkennedy.com Sent: Wednesday, December 08, 2010 5:52 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers Thanks, Pete and Scott. As always, Pete, that change worked as advertised. I've put in a slight tweak as well as Scott's AOL suggestion, I pre-pended a period to qualify the domains tighter (I also left in the examples, that's my own practice for self-documentation) source !-- header name='X-Use-This-Source:' received='mixedsource.com [' ordinal='0' / -- !-- header name='X-Originating-IP:' received='hotmail.com ['ordinal='0' / -- header name='X-Originating-IP:' received='.hotmail.com ['ordinal='0' / header name='X-AOL-IP:' received='.aol.com [' ordinal='0' / /source I sent myself three messages from my own Hotmail account, and then checked my own firewall's IP address in my local GBU: CD \messagesniffer SNFClient.exe -test 1.2.3.4 GBUdb Record for 1.2.3.4 Type Flag: ugly Bad Count: 0 Good Count: 3 Probability: -1 Confidence: 0.113212 Range: normal Code: 0 Hopefully, others will choose to also pay in to the system, and regardless, I'll see less Hotmail and AOL spam from known zombie IP addresses! Andrew 8) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Monday, December 06, 2010 1:18 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers I made this change immediately. Like Andrew I've always wondered why the Hotmail header hasn't been targeted by someone. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Monday, December 06, 2010 2:31 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers On 12/6/2010 2:47 PM, Colbeck, Andrew wrote: I have the same position as Scott. I find that the MessageSniffer product from ARM Research is the most reliable test snip/ Hotmail in particular would be less effective for the bad guys if I had an antispam tool that would determine from the headers that the sender was from Hotmail (or others) and then check the X
RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
Thanks, Pete and Scott. As always, Pete, that change worked as advertised. I've put in a slight tweak as well as Scott's AOL suggestion, I pre-pended a period to qualify the domains tighter (I also left in the examples, that's my own practice for self-documentation) source !-- header name='X-Use-This-Source:' received='mixedsource.com [' ordinal='0' / -- !-- header name='X-Originating-IP:' received='hotmail.com [' ordinal='0' / -- header name='X-Originating-IP:' received='.hotmail.com [' ordinal='0' / header name='X-AOL-IP:' received='.aol.com [' ordinal='0' / /source I sent myself three messages from my own Hotmail account, and then checked my own firewall's IP address in my local GBU: CD \messagesniffer SNFClient.exe -test 1.2.3.4 GBUdb Record for 1.2.3.4 Type Flag: ugly Bad Count: 0 Good Count: 3 Probability: -1 Confidence: 0.113212 Range: normal Code: 0 Hopefully, others will choose to also pay in to the system, and regardless, I'll see less Hotmail and AOL spam from known zombie IP addresses! Andrew 8) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Monday, December 06, 2010 1:18 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers I made this change immediately. Like Andrew I've always wondered why the Hotmail header hasn't been targeted by someone. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Monday, December 06, 2010 2:31 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers On 12/6/2010 2:47 PM, Colbeck, Andrew wrote: I have the same position as Scott. I find that the MessageSniffer product from ARM Research is the most reliable test snip/ Hotmail in particular would be less effective for the bad guys if I had an antispam tool that would determine from the headers that the sender was from Hotmail (or others) and then check the X-Originating-IP: [111.222.333.444] snip/ I've suggested it before but vendors are, quite reasonably, leery of building into their product a feature that is specific to a few providers while being prone to false positives. Actually, if I may, Message Sniffer has precisely that feature built into GBUdb training. Specifically, you can tell Message Sniffer to identify the source IP for the message based on the presence of a specific header. This feature was designed specifically for hotmail and other systems that provide a source IP for one reason or another -- (perhaps complex internal routing). For configuration information see: http://www.armresearch.com/support/articles/software/snfServer/config/no de/g budb/training/source.jsp http://www.armresearch.com/support/articles/software/snfServer/config/no de/g budb/training/source-header.jsp If you configure this training mechanism for GBUdb in your Message Sniffer engine then GBUdb will become much more accurate for messages coming through that source. Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. We are pleased to announce that Bentall LP and Kennedy Associates Real Estate Counsel, LP joined forces on December 1, 2010. To learn more, visit: www.bentallkennedy.com Nous avons le plaisir de vous annoncer que Bentall LP et Kennedy Associates Real Estate Counsel LP se sont associees le 1er decembre 2010. Pour en savoir plus, rendez-vous a www.bentallkennedy.com This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes
RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
I have the same position as Scott. I find that the MessageSniffer product from ARM Research is the most reliable test at catching spam from freemail accounts. Second best is a URI product, but much of the spam from freemail accounts is scam text that doesn't have a URL, or the spammer obfuscates it by not describing the domain rather than specifying it e.g. he will write example.com instead of http://www.example.com/marketing (I just fabricated this example). Hotmail in particular would be less effective for the bad guys if I had an antispam tool that would determine from the headers that the sender was from Hotmail (or others) and then check the X-Originating-IP: [111.222.333.444] Header they add, which is invariably a source address I'd block because it's listed in XBL or other DYNA blacklists. I've suggested it before but vendors are, quite reasonably, leery of building into their product a feature that is specific to a few providers while being prone to false positives. Andrew from Vancouver -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Friday, December 03, 2010 8:38 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers My problem is the reverse, I get so much spam from hacked aol/hotmail/gmail/yahoo accounts, that its getting to the point that these services are spammers. I hope some more places blacklist them so that maybe they'll clean up their act. Like that would happen... Unfortunately a disproportionate amount of my email spam administration time is spent solely on these free providers trying to fine tune the filters to block the spam, without much collateral damage. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, December 03, 2010 8:39 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers You can also my filters GOOD-REVDNS and HAM-INDICATOR as well as ISP-HOTMAIL, ISP-YAHOO etc which are available from the Declude website. These can help reduce false positives. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Gary Steiner Sent: Friday, December 03, 2010 9:17 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers Try using the following whitelists: http://www.abuses.es/eswl/index.html.en http://www.dnswl.org/ Both are fairly reliable. Original Message From: Chris Patterson ch...@rseng.net Sent: Wednesday, December 01, 2010 10:01 PM To: declude.junkmail@declude.com declude.junkmail@declude.com Subject: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers We have been seeing a dramatic increase of free webmail server IP's being blacklisted and causing false positives from the usual Hotmail, msn, yahoo, aol, gmail, and other free email servers listed on RBL', spamcop, spamhaus, etc. This has caused a tendency to for customers to want to whitelist these domains which we do have on per domain/per user settings however still must be explained and applied. I can provide hundreds of these blacklisted IP's in the logs however I was hoping a number of you have developed a list of reverse DNS IP or hostname entry files to subtract from sniffer and/or UR-IBL scoring that will allow the good emails through from blacklisted IPs or some ruleset that has the same effect. This has become a very annoying issue for us, any help/ideas would be appreciated. Chris Patterson, CCNA Special Projects and Advanced Engineering Manager Rapid Systems http://www.rapidsys.com KB: http://support.rapidsys.com --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. We are pleased to announce that Bentall LP and Kennedy Associates Real Estate
RE: [Declude.JunkMail] Regex to block this?
Flavour of the day: Relevant bits of the header: Received: from payoff.all-debt-forever.com [173.192.161.27] Subject: Stay on top of your credit report Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: inline Header has DKIM. Network allocation is: 173.192.161.16/28 to pikinetworks From the header you can see that the body will be plain text, not HTML. The payload link has 37 characters 0-9 and a-z: http://payoff.all-debt-forever.com/02138174505792882531178a7d79a040f797d The unsubscribe link has 33 characters 0-9 and a-z: http://payoff.all-debt-forever.com/78a7d79a040f797d40213817450579288 Andrew 8) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, July 23, 2010 6:40 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Regex to block this? On 7/23/2010 9:19 PM, Matt wrote: I guess my point here is that they are both very high volume spammers, and they both randomize sufficiently so that blocking them requires blocking their domains and having the samples available, but putting in proactive rules will only last a short time. What Sniffer may need is a better source of this spam. Between the two, I believe I am getting about 15,000 each day. Better sources are always good -- the sooner we see it the faster we can code solutions. As it turns out all of the samples provided had current rules in place based on our standard vectors... so we are capturing these. My guess is that you're right and the timing of these attacks is important. That said, I was able to find some structural vectors for the first group -- I've set up some abstracts based on those vectors and I'm waiting to see what the capture rates will be... If this approach is successful we should be able to preemptively defeat some of next few campaigns. Then I will apply the same types of mechanisms to the other groups and see if we can generate some internal methodologies to evolve structural abstracts for these as we see new variants based on the successful models we've generated. _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] A small Junkmail enhancement suggestion
David, are you there? The FROMNOMATCH test introduced in 2006 checks whether the MAILFROM matches the From: header. I suggest an enhancement to reduce false positives: that the FROMNOMATCH is suppressed if the Sender: header line is present. The Sender: header line is used to indicate that the sending mail system knows that the actual sender is different from the cosmetic From: line. The result in, say, Microsoft Outlook, is that the From: line will show %MAILFROM% on behalf of %From: field contents%. The Sender: line receives a bare mention here: http://en.wikipedia.org/wiki/E-mail_header The FROMNOMATCH should also be suppressed if the MAILFROM is . I suspect that VERP addresses should also be excerpted, because as with the Sender: header, the envelope/MAILFROM is expected to not match the From: header. Here's the Wikipedia article on VERP: http://en.wikipedia.org/wiki/Variable_envelope_return_path There may be a problem with VERP if there is no clear winner or winners in the formatting; if there are VERP formats that are intended to be interpreted by software instead of humans, then those formats make good exceptions to FROMNOMATCH. As an example of what is too vague and relies on the human being is the huge variety of mailing list, return, and bounce formats in the MAILFROM. I see a lot of bounces that begin the MAILFROM with bounces, bounce, bo- or put bounce in the fully qualified domain name. The only one I know of that is consistent is the prvs=.+= prefix by BATV: http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation Reducing the incidence of FROMNOMATCH in the subjective bounce formattings may be too much of a custom configuration to maintain, and would make a decent combo test. I have been using FROMNOMATCH with a tiny weight since its inception, adding more weight in combination tests. I recently looked at my Declude logs, and found that FROMNOMATCH triggered 10:1 on ham:spam, that is, the spammers are now more likely to match the envelope and From: header (even though it's probably a fake address anyway). My statistic has to be taken with a grain of salt; I use Alligate in front of my Declude, so my results are skewed by omitting lots of the spam from zombie hosts. tldnr: Exclude from the FROMNOMATCH test when the MAILFROM is , or when the valid Sender: line is also in the header, or MAILFROM is in BATV or recognizable VERP format. Andrew. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Fine tuning Declude
I wrote a batch file once on a number of the exchange servers that used VBS and LDAP to generate a list of valid exchange recipients and then FTP them to the server where a CF script parsed it clean. Michael, it sounds like you were most of the way there. Alligate does have the feature you were working towards, which was a recipient file for a given domain, the magic phrase being the rvInput folder. I don't use it, but the rough idea is that you periodically drop in a plain text file, say, per domain, in that folder and an Alligate process picks them up. Another one of the problems is that most all of my clients don't want to disable NDRs with whatever solution I come up with, which makes it fairly impossible to avoid backscatter. This lets your gateway accept only email for valid recipients and reject mail during the envelope conversation, thus you are not generating spam backscatter and you are emitting valid NDRs only (when the bad guys spoof a MAILFROM and you accept a message because your gateway can't validate the recipient yet, then later bounce the message as undeliverable, your backscatter spams the spoofed sender). Darin's earlier message describes a way to accomplish the same thing via IMail and aliases; I believe this method was pioneered by Sandy (Sanford Whiteman) back in 2004 and the thread can be picked up here: http://www.mail-archive.com/search?q=Exchange2aliasesl=declude.junkmail %40declude.com The trouble for you is that this is an even more significant implementation for your clients than your scraping of their AD. Andrew. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, May 12, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Fine tuning Declude I wrote a batch file once on a number of the exchange servers that used VBS and LDAP to generate a list of valid exchange recipients and then FTP them to the server where a CF script parsed it clean. I didn't quite know what to do with them when they got there though (I was originally going to use them in Alligate, but never got that up and going) and I don't have the full granular cooperation of all the Exchange network peeps, only most of them, so it was difficult to implement a one-size-fits-all policy regardless. I'll put my thinking cap on. Another one of the problems is that most all of my clients don't want to disable NDRs with whatever solution I come up with, which makes it fairly impossible to avoid backscatter. It goes in me one way, and out another :p Very Respectfully, Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Darin Cox Sent: Wednesday, May 12, 2010 10:55 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Fine tuning Declude Hi Michael, I may be able to help with this. You mention doing gateway filtering for Exchange servers. We also do that, but instead of accepting any address with the domain, we have accounts set up on our server and refuse connections that don't go to one of those accounts. Now your next comment is probably that you don't want the extra management of setting up accounts on both servers. Well we've handled that by using a sync process we developed to extract the list of accounts from the Exchange server, ship that up to the gateway server, and check to see what accounts need to be added or deleted. We've been using this process for a couple of years with perfect success. Since it is a batch process, it is scheduled to run every few minutes, so there could be a few minute delay when new accounts are added, but it has worked flawlessly for a couple of years. There are checks in place to make sure incomplete transfers don't result in accounts being deleted or incorrect accounts getting added to the gateway, and notifications are sent every time accounts are added or deleted. Currently it runs as a script on the destination Exchange or IMail server, and a scheduled process on a SQL database on our mail gateway server. Also, our gateway is an IMail server, but we could easily adapt it to use the account creation command line utilities I assume SmarterMail has. One other comment about the implementation. We maintain a hosts file for forwarding to the destination mail server, and use a subdomain to forward the mail for routing purposes, so the destination mail server is configured to accept mail for the subdomain. That's a simple change in Exchange to add an SMTP alias, and can be added to the default policy in Exchange so it is automatically added when an account is created. Anyway, if you have any interest, let me know. I know we wouldn't be able to survive if we were accepting email for any address in a domain, so I feel your pain. Best, Darin Cox 4C Web A division of 4C Design Technology Corp. (813) 413-4883 Tampa Bay, FL (919) 533-5000 Research
RE: [Declude.JunkMail] SORBS Website Down?
It may have been down when you looked, Andy. It's up now. Also, I like to use this 3rd party for an instant second opinion: http://downforeveryoneorjustme.com Andrew 8) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 12, 2010 1:15 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SORBS Website Down? Hi, Does anyone have a URL that works? I haven't been able to get www.sorbs.net/lookup.shtml, or www.au.sorbs.net/lookup.shtml to come up? I remember reading something last year that they had trouble getting a hosting sponsor - but later they were acquired by GFI. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] We have opened up truncate.gbudb.net
I'm replying here so as not to clutter the announcement thread. The rationale for not using 127.0.0.1 is that the DNSBL is reflexive, and 127.0.0.1 is conventionally resolved as localhost and querying for localhost in a DNSBL is wrong, wrong, wrong. Expanding on that, the 127.0.0/8 network for the results is used because it is non-routable. Also, the test point should exist (and it does!) dig @8.8.8.8 2.0.0.127.truncate.gbudb.net. Which provides a neat example of my first point. The test point couldn't be 127.0.0.1 because it would be wrong to query a DNSBL for your own localhost address. Andrew 8) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, April 30, 2010 10:48 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] We have opened up truncate.gbudb.net On 4/30/2010 1:17 PM, Andy Schmidt wrote: It is - and I agree with you! From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt Sent: Friday, April 30, 2010 12:53 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] We have opened up truncate.gbudb.net Is the result code really 127.0.0.1? That is totally non-standard. It should be 127.0.0.2 or higher. Per RFC5782 I see: The A record contents conventionally have the value 127.0.0.2, but MAY have other values as described below in... So it is by convention that the result code would be 127.0.0.2 -- not a rule. I have no problem with this... I will make the change... better to do it now than later. Odd that nobody complained about it before. I will post another note when the change is made. _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] We have opened up truncate.gbudb.net
Matt There aren't that many RFC hawks around here these days :) ... The wikipedia entry points to an early work, this draft: http://tools.ietf.org/html/draft-irtf-asrg-dnsbl-08 Pete Odd that nobody complained about it before. I hadn't implemented it yet... And I'm a complainer. Andrew ;) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt Sent: Friday, April 30, 2010 11:02 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] We have opened up truncate.gbudb.net There aren't that many RFC hawks around here these days :) Matt On 4/30/2010 1:48 PM, Pete McNeil wrote: So it is by convention that the result code would be 127.0.0.2 -- not a rule. I have no problem with this... I will make the change... better to do it now than later. Odd that nobody complained about it before. I will post another note when the change is made. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] multistage filtering [OT]
I'm another Alligate fan on the Windows platform. It is a very smart and effective product. I have conservative settings that stick close to the defaults and my configuration rejects 80% of the inbound connections.Before I implemented Alligate, my Declude was hurting because of my large filter files. A combination of large filter files and large volumes meant heavy CPU and Disk utilization and conflict. I'm also a MessageSniffer fan, and know that you could be very happy with Pete's recommended solution. Implementing an MTA in front of your content scanner and mailserver is a resource that is well spent; the two layers have very different workloads, and I think you'll find that you need to upgrade the hardware on the content scanner less if you have an MTA that is filtering the connections first. Andrew. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Wednesday, February 10, 2010 3:29 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] multistage filtering [OT] Hi, With the amount of spam I have to throw away each day no reaching consistant levels of over 90%... I can of course get an even faster mailserver but I think I would be better of with an extra smtp server in front of my mailserver which filters the most blatant spam mail purly based on session info. What passes that server can go on to my IMail server and have more contect based filtering using Declude, Sniffer, InvURIBL etc. What would be a good first step server? I have experience with (Debian) Linux so a Linux based solution is no problem. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl mailto:b.blok...@tio.nl / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CBL:IP is Blacklisted
Here's the answer, Todd. http://www.mail-archive.com/imail_fo...@list.ipswitch.com/msg103112.html It's an old problem with CBL and IMail. Certainly, CBL is at fault and by now they should have at least taken up SPF record checking to weed out false positives. I just checked your SPF record and it is valid, so this would have helped you. Andrew. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Todd Richards Sent: Friday, February 13, 2009 8:42 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CBL:IP is Blacklisted OK, Sorry to cry wolf. I sent them an email directly (which is what they said to do if you are running Imail) and it appears that they have us removed already. Not sure why/how we got added, if it has anything to do with Imail (as they suggest) or what. I'm running several misc. scans on our server to be sure we don't have a problem. Any other suggestions of how/why, or what to check are always appreciated! Todd -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Todd Richards Sent: Friday, February 13, 2009 10:13 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] CBL:IP is Blacklisted Hi Everyone - Late yesterday I started seeing some bounces that our IP address was being rejected because of the following: RCPT TO generated following response: 554 Denied [SHXBL] - Denied by Spamhaus XBL - See http://www.spamhaus.org/query/bl?ip=8.7.193.82 (Mode: normal) I checked and we are, in fact, listed in CBL. I went through the steps to request removal. Is there anything else I should do? I'm really not sure how we got on it anyway. Does anyone know how long it takes? I've got several people hollering at me because anything they send out is being rejected as spam. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Re:Declude vs Perry
Perhaps suing your partners is a Rich Person(tm) idea of good Corporate Stewardship(tm). It certainly is a far cry from supporting, promoting, and improving the product line, you know, the normal way a company Earns Money(tm). Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, September 09, 2008 7:16 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Re:Declude vs Perry Hi David - Below was forwarded to me - as a long time Decluder I am very disappointed in seeing something like this - -Nick http://dozierinternetlawpc.cybertriallawyer.com/computer-lawyer DECLUDE, INC. AND DNSSTUFF, LLC. v. R. SCOTT PERRY DISTRICT OF MASSACHUSETTS (BOSTON) 1:08-cv-11072 FILED: 06/25/08 The ownership of source code and the ownership of the code in general used to build a website is often an overlooked issue. Make sure that you have spelled out not only the ownership of the code but also the requirements relating to what code can be retrieved from the public domain. If you are using a web developer who retains ownership of source code then you risk having that developer use the code with future competitors at much lower costs and with the benefit of your intellectual capital in developing the architecture, engineering, and business processes. Declude purchased the Defendant's anti-virus, anti-spam and anti-hijacking software in September, 2000, and sold the products as Declude Virus, Declude Junkmail, and Declude Hijack. The Defendant, R. Scott Perry, allegedly used the same source code in developing an additional product, and when the Plaintiff went to venture capitalists to raise capital, the detailed due diligence revealed that Defendant had retained a copy of the source code contrary to the provisions of the purchase agreement in 2000, and had again sold some of the same code to the Plaintiff in the new product he had launched. The Plaintiff has sued the individual Defendant for copyright infringement, breach of contract, fraud, conversion, unjust enrichment, and unfair and deceptive acts and practices. Dozier Internet Law Cross-Reference Number 1190. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF Issue
One thing, Serge. You don't need both TXT records. The one called mail is useless. p.s. here's yet another SPF record checking website http://www.kitterman.com/spf/validate.html Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, September 02, 2008 9:12 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] SPF Issue Seems all is OK thank you al for your help Serge - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, September 02, 2008 2:46 AM Subject: RE: [Declude.JunkMail] SPF Issue I checked your 4 DNS servers. dns2 is down, but the other 3 all returned the same, valid SPF record. (Despite what Pete said, your SPF syntax is perfectly valid and quite usual.) Based on what you posted, DNSSTUFF contacted your ns1.cefib.com for the TXT record without success. May have been a temporary problem? Do you actually have any MAIL problems related to SPF? What you are reporting here, doesn't seem to be an SPF problem, but rather a DNS problem! You can always use one of the email based record tester on http://www.openspf.org/Tools to confirm that your SPF record is recognized AND handled correctly by third party servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Monday, September 01, 2008 7:16 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] SPF Issue Here is what i get from DNSSTUFF Not sure what else to do to find out what is going on How I am searching: Searching for cefib.com SPF record at f.root-servers.net [192.5.5.241]: Got referral to D.GTLD-SERVERS.NET. (zone: com.) [took 59 ms] Searching for cefib.com SPF record at D.GTLD-SERVERS.NET. [192.31.80.30]: Got referral to ns1.cefib.com. (zone: cefib.com.) [took 31 ms] Searching for cefib.com SPF record at ns1.cefib.com. [217.64.107.100]: Reports that no SPF records exist. [took 301 ms] Response: No SPF records exist for cefib.com. [Neg TTL=3540 seconds] Details: ns1.cefib.com. (an authoritative nameserver for cefib.com.) says that there are no SPF records for cefib.com. The E-mail address in charge of the cefib.com. zone is: [EMAIL PROTECTED] There is no need to refresh the page -- to see the DNS traversal, to make sure that all DNS servers are reporting the same results, you can Click Here. Note that these results are obtained in real-time, meaning that these are not cached results. These results are what DNS resolvers all over the world will see right now (unless they have cached information). - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, September 01, 2008 12:41 PM Subject: RE: [Declude.JunkMail] SPF Issue What is the issue? What error message? Was it bounced mail? What did the NDR say? I could be a recipient trying to forward mail to another server, or an end-user trying to send email from home using their local ISP... etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Sunday, August 31, 2008 10:18 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SPF Issue Hi all I have som SPF issues It was working fine some times back I use Mixrosoft dns I have (same as parent)Text v=spf1 mx ip4:217.64.107.106 -all mailText v=spf1 mx ip4:217.64.107.106 -all What is wrong with above ? TIA --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Mail Pre-Processor recommendations
Nick Hayer said: I have a small utility that will allow Declude (for Imail) to run on an Alligate box without Imail being present. ... and it works. I'm using Nick's utility so that my antispam gateway is Alligate + Nick's utility instead of IMail. Like many people, I bought into Declude as my antispam product, and IMail just happened to be the platform it ran on. I'm much happier paying for Alligate than IMail. Ipswitch never made me happy. Never. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Thursday, May 29, 2008 6:15 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Mail Pre-Processor recommendations Colbeck, Andrew wrote: I use Alligate from Solid Oak Software, and I like it a lot. as do I. The really slick part is how it reduces bandwidth - it *very* accurately distinguishes spam et al before the DATA command thereby preventing the unwanted emails from ever being received.. Shameless plug - I have a small utility that will allow Declude (for Imail) to run on an Alligate box without Imail being present. If anyone is interested email me off list and I will send you a copy. -Nick On my primary gateway, I received just shy of 500,000 connections in the last 24 hours, and my Declude only had to see 4% of that traffic. Yes, 4%. I'm spending less time doing clever things in Declude, because Alligate is pre-filtering so well for me. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fosseen Sent: Wednesday, May 28, 2008 1:29 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Mail Pre-Processor recommendations I believe I have seen some replies to this already, but I though I would put this out again. I am hosting about 30 domains worth of email and filtering for an additional 10 domains. My current configuration is all mail is pre-filtered through a Barracuda 400 box, then forwarded to a Smartermail 4.x server running Declude with Sniffer, Zero Hour, invURIBL. The Smartermail/Declude box is a Dual Quad Core HP server with 2 Gig of RAM. I am currently receiving about 600k email messages a day on the Barracuda box, and it is seeing performance issues. Before I purchase a 2nd Barracuda box I though I would check to see if anyone has a better solution. Declude still catches 40-60% SPAM after the Barracuda box. Thanks _ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Your are asked to notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Prairie Lakes Area Education Agency. Prairie Lakes Area Education Agency accepts no liability for any damage caused by any virus transmitted by this email. - _ Scott Fosseen - Systems Engineer - Prairie Lakes AEA - http://www.aea8.k12.ia.us/tech _ We live in a world today where lemonade is made from artificial flavors and furniture polish is made from real lemons. - Alfred E.Neumann MAD magazine _ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Mail Pre-Processor recommendations
I use Alligate from Solid Oak Software, and I like it a lot. On my primary gateway, I received just shy of 500,000 connections in the last 24 hours, and my Declude only had to see 4% of that traffic. Yes, 4%. I'm spending less time doing clever things in Declude, because Alligate is pre-filtering so well for me. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fosseen Sent: Wednesday, May 28, 2008 1:29 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Mail Pre-Processor recommendations I believe I have seen some replies to this already, but I though I would put this out again. I am hosting about 30 domains worth of email and filtering for an additional 10 domains. My current configuration is all mail is pre-filtered through a Barracuda 400 box, then forwarded to a Smartermail 4.x server running Declude with Sniffer, Zero Hour, invURIBL. The Smartermail/Declude box is a Dual Quad Core HP server with 2 Gig of RAM. I am currently receiving about 600k email messages a day on the Barracuda box, and it is seeing performance issues. Before I purchase a 2nd Barracuda box I though I would check to see if anyone has a better solution. Declude still catches 40-60% SPAM after the Barracuda box. Thanks _ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Your are asked to notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Prairie Lakes Area Education Agency. Prairie Lakes Area Education Agency accepts no liability for any damage caused by any virus transmitted by this email. - _ Scott Fosseen - Systems Engineer - Prairie Lakes AEA - http://www.aea8.k12.ia.us/tech _ We live in a world today where lemonade is made from artificial flavors and furniture polish is made from real lemons. - Alfred E.Neumann MAD magazine _ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] form spam filter
Definition of: ohnosecond That tiny fraction of a second it takes for you to realize you've just made a big mistake on the computer. For example, you just clicked No when prompted to save the document you've been composing all day. Or, you just clicked Send, and forgot to delete the profanity you wrote at the bottom of the e-mail message to your boss. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, April 10, 2008 12:36 AM To: declude.junkmail@declude.com Subject: RE: Re[2]: [Declude.JunkMail] form spam filter Sorry for the last email everyone with the attachment, i meant to send it directly to Pete at Arm Research. I clicked the reply button wrote my mail and realised about 10 milliseconds after clicking send which by that time the email had already gone from my outbox. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: 09 April 2008 16:41 To: Craig Edmonds Subject: Re[2]: [Declude.JunkMail] form spam filter On Wednesday, April 9, 2008, 10:01:56 AM, Craig wrote: Hi Darin, I guess what I am looking for from Declude (or a third party) is to provide me a filter that will phrase filter the incoming form mail and determine if its a spammy one or not. We may be able to help you. Please send some samples (zipped) off list -- [EMAIL PROTECTED] _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 4.4.00 Released
David Barker said: DEC ADD Added date, Time, Email, Spool name, Weight and Tests failed to the BLKLST log Dave, the what log? Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, March 27, 2008 7:30 AM To: declude.junkmail@declude.com; [EMAIL PROTECTED] Subject: [Declude.JunkMail] 4.4.00 Released 4.4.00 Released we will be sending a notification to all customers. EVA ADD Updated AVG (avgsdk.dll 1.3.511) EVA ADD BANEXT EZIP for encrypted files .RAR can encrypt at the file name level requiring a password. EVA ADD ALLOWVULNERABILITIESFROM example.com can be used with just domain EVA FIX BANEZIPEXT ON blocking any encrypted file names EVA FIX ALLOWVULNERABILITIESFROM error when non sender EVA FIX Fix Header Vulnerability to accommodate Opera mail Client header format JMADD Updated PCRE (pcre3.dll 7.0) JMADD Updated CommTouch ZEROHOUR (asapskd.dll 5.05.8) JMADD Check the SmarterMail Domain Level for Trusted Sender in the domainconfig.xml JMFIX PCRE on a match was writing additional information not pertaining to the match in the LOG JMFIX PCRE found a match and the size of the match was than the buffer size. JMFIX Declude produced an error when reading the envelope file (SM and IM), the HELO line can only be 512 according to RFC-821 we now truncate after 512 characters. JMFIX HELO information was reported incorrectly when IPBYPASS is set JMFIX Incoming and Outgoing messages being reported incorrectly DEC ADD Can use for 4 digit year on log file names in the format ddmm DEC ADD Added date, Time, Email, Spool name, Weight and Tests failed to the BLKLST log DEC FIX SmarterMail CMDSPACE test. This test was not triggered in the SmarterMail envelope as token was changed from cmdspc instead of cmdspace we now check for both. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 4.4.00 Released
Thanks, Nick. My friend Google knows the answer: http://www.mail-archive.com/declude.junkmail@declude.com/msg30942.html Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Friday, April 04, 2008 4:09 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] 4.4.00 Released Andre - Colbeck, Andrew wrote: David Barker said: DEC ADD Added date, Time, Email, Spool name, Weight and Tests failed to the BLKLST log I thinks its the recording to the blklst.txt file that lives in the \spool dir. I have forgotten the files purpose... -Nick Dave, the what log? Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, March 27, 2008 7:30 AM To: declude.junkmail@declude.com; [EMAIL PROTECTED] Subject: [Declude.JunkMail] 4.4.00 Released 4.4.00 Released we will be sending a notification to all customers. EVA ADD Updated AVG (avgsdk.dll 1.3.511) EVA ADD BANEXT EZIP for encrypted files .RAR can encrypt at the file name level requiring a password. EVA ADD ALLOWVULNERABILITIESFROM example.com can be used with just domain EVA FIX BANEZIPEXT ON blocking any encrypted file names EVA FIX ALLOWVULNERABILITIESFROM error when non sender EVA FIX Fix Header Vulnerability to accommodate Opera mail Client header format JM ADD Updated PCRE (pcre3.dll 7.0) JM ADD Updated CommTouch ZEROHOUR (asapskd.dll 5.05.8) JM ADD Check the SmarterMail Domain Level for Trusted Sender in the domainconfig.xml JM FIX PCRE on a match was writing additional information not pertaining to the match in the LOG JM FIX PCRE found a match and the size of the match was than the buffer size. JM FIX Declude produced an error when reading the envelope file (SM and IM), the HELO line can only be 512 according to RFC-821 we now truncate after 512 characters. JM FIX HELO information was reported incorrectly when IPBYPASS is set JM FIX Incoming and Outgoing messages being reported incorrectly DEC ADD Can use for 4 digit year on log file names in the format ddmm DEC ADD Added date, Time, Email, Spool name, Weight and Tests failed to the BLKLST log DEC FIX SmarterMail CMDSPACE test. This test was not triggered in the SmarterMail envelope as token was changed from cmdspc instead of cmdspace we now check for both. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL
RE: [Declude.JunkMail] Forged-Spam Backscatter
Symantec says that backscatter-as-deliberate-spam-technique is back in vogue. See their April State of Spam Report http://www.symantec.com/enterprise/security_response/weblog/2008/04/post _8.html Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, April 03, 2008 12:43 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Forged-Spam Backscatter Jim - I'm running the exact same set up as you are. We had the same problem about two weeks ago. I don't know if this made much difference or not, but I noticed the domains that we were seeing this with did not have any SPF records in place. So when I saw this sudden increase come through, I added a strict SPF policy for that domain. The backscatter for that domain all but stopped. A few days later, a different domain was targeted - without an SPF record - and adding one seemed to cure that. This happened a few more times, with the results all the same. I'm not at an expert level to say whether this did or did not do the trick. Perhaps it was just coincidental. All the new domains that are set up and running services through us get strict SPF records put in place from the start. However, the older domains that have been around for a while - that didn't have SPF in place - were the ones that seemed to have had the problem. And since then, we haven't had any more problems with that. I can't say for sure that them having their email addresses on their websites was the problem for sure or not. For what it's worth, my new policy is to not put email addresses on public websites. Anyway, just thought I would throw that out there. Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Comerford Sent: Thursday, April 03, 2008 1:46 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Forged-Spam Backscatter Over the last several weeks we have seen a dramatic increase in spam hitting our server. From about 70,000 mails a day to around 110,000 /day. Most destined for our users is getting properly filtered by declude. What is getting thru is backscatter from spam that is forging addresses from domains we host. It seems just about any address that is posted on a website seems to be being used to forge outgoing spam (not from our server) -- and is generating all sorts of bounce messages. I suspect there is not much I can do to block this backscatter without blocking legit bounce messages... but I thought I'd ask. Here is our config: Imail 8.22 Declude 4.3.64 invURIBL 3.1.1 Sniffer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hardware upgrade -Software Crossgrade?
Alexander, you are really citing two problems with your scale and performance. The first is that you have older hardware and lots of mailboxes. Where do your CPU and disk spend their time? On antispam, or on servicing connections and mailboxes? The second is that your spam detection is less than desired. My suggestion is that both problems would be relieved by introducing a mail gateway in front of your mailboxes. In the Windows world, Alligate and XWall are popular with Declude/Sniffer users on this list and the Sniffer support list. With either one, I think you will find that the gateway will take the brunt of the antispam effort, leaving the back-end server to service mailbox connections and requests. I bought Alligate and love it, so I'm greatly biased towards it. I would suggest that if your hardware is old, Craig has some very good practical advice about an upgrade. If you just upgrade, you can out race the spammers again, but if you put a gateway in place, you have better options. If your existing hardware is old, you could replace the fans and disks and have it become your new gateway, while you purchase some new hardware for your back-end, which will scale much higher than before once the back-end has to do less antispam processing. Andrew. p.s. Did you have a third problem? Were you implying that the feature-set of IMail is no longer to your liking? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Monday, March 10, 2008 1:44 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Hardware upgrade -Software Crossgrade? Hello, we are going to move to an new hardware. At the moment we are running Imail 8, Declude, Sniffer. It works, but Spam detection is not perfect and overall system performance is getting worse. Should we - wait for IMail 10? - use IMail 9? - stay with Imail 8? - move to Smartermail? We host about 200 domains, with about 2000 Mailboxes. Alex Siller AG, Wannenaeckerstrasse 43, 74078 Heilbronn Vorstand: Prof. H.-F. Siller (Vorsitzender), Joern Buelow, Ralf Michi Aufsichtsratsvorsitzender: Armin Sohler Reg. Gericht Stuttgart, HRB 107707, Ust-Id Nr. DE145782955 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Is Tqmcube.com dead???
Chuck, was it just the prc.tqmcube.com that returned these? I see on their own RBL checker web page that only the Peoples Republic of China zone returns this error. When I query their servers for a few test IPs, including 127.0.0.2, I don't get an error or a positive response, everything fails. I've also tested based on their current dirty 12 list... and what I get is either a non-existent domain or a query refused response. Going back to my logs, the last hits I notice are on January 20 2007, for the DHCP and the TRAP lists. The lists have been either underperformers or have been down. Check it out like this: grep -c TQM dec*.log I see a lot of days with zero hits. It looks like they're the latest RBL to throw in the towel. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Sent: Wednesday, February 20, 2008 7:57 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Is Tqmcube.com dead??? I started seeing these in the headers of messages today. Tqmcube.com is dead - all queries positive to stop people from using it - you risk loosing all mail unless you stop There web site looks the same but I am getting this return from them. Weird and unprofessional. Sent via the WebMail system at mail.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Yahoo Blocking Email
And as a further best practice to what Matt is advising, I'll mention that ideally you want to send all outbound mail from an IP that is different from your inbound gateways. And that your outbound bulk mail would be separate from both. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, February 21, 2008 9:41 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Yahoo Blocking Email I did this once about a year and a half ago for a client and they responded fairly quickly, but the full process took about a month before they whitelisted it. If you are bulk mailing from your hosted mail server, you need to stop. Never send bulk E-mail from a hosted mail server, and it is also good to use a different domain for bulk mailing. I'm not saying that is the case here, but bulk mailing can trip Yahoo. In the mean time, you might want to see if you can just switch your IP address to see if that will work. Matt Dave Beckstrom wrote: Hi All, Has anyone figured out how to stop Yahoo from blocking email? They've blocked all email from our servers for about 3 weeks. I've submitted their forms but it hasn't done any good. Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Is Tqmcube.com dead???
Interesting news, David. And thanks for the tip about Al's blog. I think fixed is an overstatement. I just tested 8 IP addresses that were previously listed in January in the DHCP or SPAMTRAP RBL, plus three longtime Chinese IP addresses in the PRC, and none of them are listed right now. I don't expect that the problems posted to the newsgroups, nor the DNS server timeouts and refusals I saw last night are going to get any better, so this RBL provider is going to stay out of my global.cfg file. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, February 21, 2008 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Is Tqmcube.com dead??? Just an FYI TQM cube is back up and running. Rumor has it that someone poisoned their DNS cache. They've since gone in and fixed it. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Thursday, February 21, 2008 11:06 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Is Tqmcube.com dead??? We are seeing this on the dhcp.tqmcube.com - that is the only one we were running. It is very inconsistent. Contrary to their message not every email is returning a hit. I turned the test off for now. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, February 21, 2008 12:58 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Is Tqmcube.com dead??? Chuck, was it just the prc.tqmcube.com that returned these? I see on their own RBL checker web page that only the Peoples Republic of China zone returns this error. When I query their servers for a few test IPs, including 127.0.0.2, I don't get an error or a positive response, everything fails. I've also tested based on their current dirty 12 list... and what I get is either a non-existent domain or a query refused response. Going back to my logs, the last hits I notice are on January 20 2007, for the DHCP and the TRAP lists. The lists have been either underperformers or have been down. Check it out like this: grep -c TQM dec*.log I see a lot of days with zero hits. It looks like they're the latest RBL to throw in the towel. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Sent: Wednesday, February 20, 2008 7:57 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Is Tqmcube.com dead??? I started seeing these in the headers of messages today. Tqmcube.com is dead - all queries positive to stop people from using it - you risk loosing all mail unless you stop There web site looks the same but I am getting this return from them. Weird and unprofessional. Sent via the WebMail system at mail.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How can I filter this...?
(another country heard from) David... Chuck... the MAILFROM is going to filter based on the server-side conversation (i.e. for IMail users, it will be the value from the Q*.smd file, not any text in the D*.smd file). The example that Chuck gave is going to be the From: line in the message header, which is not the same. Also, vigara is not equal to viagra so Dave's first example PCRE filter doesn't match the text that Chuck supplied. So that would be two reasons why it didn't work. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, February 08, 2008 1:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] How can I filter this...? This is what Chuck requested. Now the declude sender is [EMAIL PROTECTED] but I want to filter the sender name of vigara. If you show me what you trying to do in the headers perhaps I can help ? David B -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shacklett Sent: Friday, February 08, 2008 4:36 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] How can I filter this...? Isn't the mailfrom in this case [EMAIL PROTECTED] and not the vigara part? Chuck is looking for a way to filter based on the name attached to the address and not the specific address proper, isn't that right Chuck? I'm butting in here because I'm trying to capture something similar using the same logic, and using a headers specification in the filter is too broad for what I'm trying to do. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, 08 February 2008 3:56 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] How can I filter this...? How so, can you show the X-Declude-Sender line that it did not work on ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, February 08, 2008 3:50 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] How can I filter this...? David: The first one does not work. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, February 06, 2008 12:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] How can I filter this...? Chuck you have several options: MAILFROM 5 STARTSWITH Viagra MAILFROM 5 CONTAINSViagra MAILFROM 5 PCRE (?i:.*viagra.*@) David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Wednesday, February 06, 2008 2:17 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] How can I filter this...? Spam email is sent and the from line is vigara [EMAIL PROTECTED] Now the declude sender is [EMAIL PROTECTED] but I want to filter the sender name of vigara. Seems like it should be simple but it is eluding me. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at
RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
If it is going on all the time, use the command line and issue: netstat -b which will show you the executable name and the connection. If you need to narrow down the TCP connection over a longer period of time, use the free TCPView from Sysinternals dot com (now a Microsoft Technet site). Perhaps someone else will have an opinion on a good host based firewall for an email server. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard Smith (N.O.R.A.D.) Sent: Friday, January 04, 2008 11:55 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement To replace blackice functions as to load on a server and monitor and block what applications sends out on individual ports . I have an offending app or task that trying to send out on random ports , I am trying to find it and block it Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com www.securetrek.com www.siteshuttle.com www.audiovideotrek.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 2:25 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server Settings In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound traffic Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move the
RE: [Declude.JunkMail] 4.3.46
Happy Holidays, David! How about a shiny new all_list.dat to ring in the New Year? Andrew. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hardware Upgrade
Hello, Serge. I'm happy to chime in here, but let me start off with saying that you will get divergent opinions here, and that nobody will be absolutely right, as our answers are coloured by own experiences, and each implementation is unique. I'll also start off with asking you for your current and your intended message volumes, general architecture and software mix. Answering these details will help you keep the arguments comparing apples to apples because what is true for one respondent with low volume will not be true for another respondent with crushingly high volumes! My answers: 1- Memory I used to agonize over the making the exact right decision regarding slots, interleaving and multipliers; my truth *now* is that these are tweaks that make 2% to 6% of the raw memory speed in benchmarks and that it makes precious little difference in the real world for, say, an email server. Memory is relatively cheap; buy as much as you want as long it's from a name brand like Kingston, avoiding for example buying it from HP (the days are long gone where Compaq would tell you to remove 3rd party RAM to get support from them). 2- Disk technology Yes, my truth is that your fast servers need SCSI, SAS or a SAN based on those technologies. For bulk storage, choose SATA to save you a lot of money on back-end servers. In addition, buy a battery backed RAM cache controller for your RAID controller; this will enable write-cacheing on the RAID controller. An HP RAID controller will not assume that you have a battery backed UPS, and will not cache writes without this add-on. The throughput of your write operations are critical for a busy email server. If you buy an HP Proliant server based on SAS with 6 internal drives you will also need a second controller cable. 3- Disk layout Don't go cheap and use a single unprotected drive for any purpose. I used to like that format too, but my uptime and remediation time is more important than the cost of the drive technology. The layout you've described, it's good. Put the swap file on the System drive. Other commentary: If you use HP, you really really really should use their Firmware Update and SmartStart install CDs. Download the current version rather than using the one that comes in the box. Also update your HP Insight Manager once the OS is installed, and set up your HP Insight Manager to send email alerts to a generic helpdesk account within your tech support team and *never* to just one staff member. The cefib.com domain is an ISP; I'd actually recommend TWO servers that are less expensive instead of one large one for your environment. The first server: As an antispam gateway for your inbound mail. The second server: As your mailbox store and for your outbound mail. Put monitoring software on each, watching the other server and your other connectivity as required. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Friday, December 21, 2007 1:41 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Hardware Upgrade Hi We are planning a hardware upgrade for february, after 5 years on the previous ML370G2 We will buy a 2slot QuadXeon Motherboard, 1.333FSB, and 2x2.33GHz QuadXeon, 2GB DDR2 and have some technichal questions for the resident techies 1- Should we get the fastest memory available, or should the memory speed be a divider of 1333 or 2.33 ? 2- Does a mail server really need SCSI or SAS @15K/Minute ? or regular SATA @ 7K or 10K enough ? 3- We are planning on using : 2 HD in Raid1 for System 2 HD in Raid1 for Mailboxes 2 HD in Raid1 for Spool Where should we put the virtual Memory ? Or, is it better to have 2 HD in Raid1 for System 2 HD in Raid1 for Mailboxes 1 HD Spool 1 HD for VM You all have a good weekend and a merry christmas next week Serge Dergham --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] filters
Bonno, you can do this, but probably not in a single filter file. A couple of key points for advanced filter file usage: You can define weights per tests in a filter file, and you can assign weight to a whole filter file, and these weights are cumulative. You can trigger a filter file even when the weight assigned to the tests is zero, and then use the TestsFailed test to determine whether the whole filter file was triggered. Inside of a single filter file you can have many tests with a single point, and then use the MinWeightToFail and MaxWeight predicates to control the weight assigned in a filter file. For filter files, the order they appear in your global.cfg is also their order of execution, so you can effectively construct AND statements by having files called test1, then test2 and then a result file that uses TestsFailed to determine if the other tests were triggered. So... FILTER-VFRIEND-SUBJECT which only tests for a subject, and sets the weight to 0, e.g. SUBJECT 0 IS zoek een vaste vriend FILTER-VFRIEND-LINK which only tests for a variety of of links, e.g. BODY 0 CONTAINS http://geocities.com/ FILTER-VFRIEND-TEXT which only tests for a variety of text BODY 0 CONTAINS Ik zoek een vriend BODY 0 CONTAINS seks-partner and then last, your result that actually assigns weight: FILTER-VFRIEND-SEKS-BOMB TESTSFAILED END NOTCONTAINSFILTER-VFRIEND-SUBJECT TESTSFAILED END NOTCONTAINSFILTER-VFRIEND-LINK TESTSFAILED 15 CONTAINSFILTER-VFRIEND-TEXT If the filter files contain lots of triggers, some of which are bad and you want to award points anyway, you can use the MinWeightToFail and MaxWeight to control the minimum hits and the maximum weight in a given filter file. If you want to save every last bit of processing time, when you have multiple tests, you can use the TESTSFAILED END NOTCONTAINS at the top of each subsequent one so that processing is skipped. In the example above, you would have FILTER-VFRIEND-SUBJECT always run, but FILTER-VFRIEND-LINK would end if FILTER-VFRIEND-SUBJECT hadn't triggered (failed), and FILTER-VFRIEND-TEXT would end if FILTER-VFRIEND-LINK hadn't triggered (failed), and then FILTER-VFRIEND-SEKS-BOMB would only have to test whether FILTER-VFRIEND-TEXT was triggered. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Monday, November 26, 2007 7:03 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] filters Hi, Every example I see at the Declude site for lines in a filter files seems to indicate that I HAVE to have a weight listed or some other action. What if I want to create a filter file that identifies the specific mails and then assign a weight in de global file? For instance, we not get some spam with a specific subject, a specific line of text in each mail and a link to geocities. I want mail that has all characteristics to get a certaing weight. Global.cfg FILTER-VRIEND filter C:\IMail\Declude\Filters\Vriend.txt x 0 0 Vriend.txt SUBJECT 10 IS zoek een vaste vriend BODY 2 CONTAINS http://geocities.com/ BODY 5 CONTAINS http://geocities.com/KatieDavenport89 BODY 5 CONTAINS http://geocities.com/ElbertMacias BODY 5 CONTAINS http://geocities.com/ZachariahBuck33 BODY 5 CONTAINS http://geocities.com/JanHammond97 BODY 5 CONTAINS http://geocities.com/GenaroRogers BODY 5 CONTAINS Ik zoek een vriend / seks-partner But this is not quite what I want. I want to assign 15 points if the subject is correct, if the specific line of text is there and if there is a geocities link. And then I could add some weight is a specific geocities link is present. So... how do I do that? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting Spam
Well, the easy part is answering your question about the domains. Each of the payload domains was registered today, so whatever service you're using to look up the registrations is probably using a database at least a day behind. I use (for example) this site to my satisfaction: http://whois.domaintools.com/sdsdm.com Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, September 06, 2007 3:07 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interesting Spam We're getting a rash of spam that doesn't score high enough to be blocked. In the past I've looked up the domain owner of the site listed in the spam and been able to identify sometimes dozens of domains owned by the spammer, then I've put that list into a filter and blocked the domains before they were all used in new spam sent to us. I did a whois on some of the domains and they all show as available and unregistered. Yet when I go to the domain, it does take me to the spammers site. How can these domains be functional and show as available to be registered at the same time? Below is a paste of one of the spams. I added 3 additional domains that have appeared in this same asshole's spam so that you can see the pattern of domains he is using. How do I block these? Dave X-Note: X-Note: Spam Score: [18] X-Note: Scan Time: 16:47:18 on 06 Sep 2007 X-Note: Spool File: 35111367.eml X-Note: Server Name: dsl88-233-31730.ttnet.net.tr X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: dsl88-233-31730.ttnet.net.tr [88.233.123.242] X-Note: Country Chain: TURKEY-destination X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5], SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14] X-Note: -Original Message- From: Tam Genois [mailto:[EMAIL PROTECTED] Sent: Thursday, September 06, 2007 1:15 PM Subject: [SPAM]- Score (12)tuile How it is going Genois Do you want to have an average to small penis all of your life? No, you don't dae Hays http://soltepec.com/ http://selenan.com/ http://www.seriia.com/ http://www.sdsdm.com/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] APEWS test results
FYI, both SORBS and UCEPROTECT stopped mirroring APEWS due to the low quality of the list. Also, the SANS ISC recently diarized an issue with the APEWS using one of their sources in a manner they do not recommend: http://isc.sans.org/diary.html?storyid=3189 Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, June 19, 2007 7:01 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] APEWS test results I ran the 2 apews lists for about a week, and they are quite a bit scary. APEWS-L1-RHSBL 4329 total hits 3537 spam 792 ham APEWS-L1-DNSBL 21364 total hits20070 spam 1294 ham False positives on companies: admworld.com, amazon.com, godaddy.com, marketwire.com, Purina.com, state.ny.us False positives on email companies: bluehornet.com, constantcontact.com False positives on ISPs: aol.com, bellnet.ca, charter.net, Comcast.net, earthlink.net, hotmail.com, sbcglobal.com, yahoo.com, tiscali.co.uk, sina.com Scott Fisher Dir of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 Tel: 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Spam
Here are two links from antivirus vendors that describe the template the
Storm botnet has been putting out. These should be very useful in
crafting regexp to catch them all based on their body text.
http://www.f-secure.com/weblog/#1255
http://www.f-secure.com/weblog/#1255
http://www.symantec.com/enterprise/security_response/weblog/2007/08/new
_storm_front_moving_in.html
http://www.symantec.com/enterprise/security_response/weblog/2007/08/new_
storm_front_moving_in.html
Caveat: I've no idea how long this information will remain valid.
Andrew.
-Original Message-
From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Wednesday, August 22, 2007 8:54 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Spam
Updated filter line to:
(?i:(Click|login|link).{0,50} http://((?:25
http://((?:25[0-5]|2[0-4][0-9]|[0
1]?[0-9][0-9]?
)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))
-Original Message-
From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] On
Behalf Of David
Barker
Sent: Tuesday, August 21, 2007 10:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Spam
Thanks :) Much appreciated.
-Original Message-
From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Tuesday, August 21, 2007 9:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Spam
Just something I've been meaning to say for a bit.
Declude RULES.
Thanks David!
--SJ
-Original Message-
From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] On
Behalf Of David
Barker
Sent: Tuesday, August 21, 2007 9:39 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New Spam
Filter Line:
BODY 10 PCRE(?i:(Click|login|link).{0,50}
http://((?:25
http://((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-
5]|2[0-4][0-9]
|[01]?[0-9][0-9]?))
Example Below:
Welcome Member,
Thank You for Joining Poker World.
Membership Number: 3398118525
Temp Login ID: user3668
Your Password ID: di150
Please keep your account secure by logging in and changing
your login info.
Use this link to change your Login info: http://85.113.198.210/
http://85.113.198.210/
Thank You,
Welcome Department
Poker World
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] New All_list.dat 16 Aug 07
That's good news, David. Thank you for supplying updates proactively. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, August 16, 2007 11:52 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New All_list.dat 16 Aug 07 Available from Declude, My Account page. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Has Senderbase become worthless?
Chuck, it probably only means that your Declude configuration is effectively blocking the major spammers, and that the cases you are chasing are fresh zombies on networks whose registrations are handled by RIPE or APNIC, and that you need to refer to them for the specific information. If a zombie was fresh, it is likely that Senderbase wouldn't have traffic counts from that IP or even that subnet. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Tuesday, July 31, 2007 9:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Has Senderbase become worthless? I have used senderbase for several years to see information about IP blocks. I have found the information useful in the past to see who owns a block and how large a block may be... In the past several months all inquires to senderbase show they don't know who owns the block nor do they see any traffic...Anybody else seeing the same thing? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Country code
Effing spammers? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, July 03, 2007 9:57 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Country code I'm detecting a new country code *F. Can you enlighten me to what this is? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] phone regex/pcre help
Scot, my eyes water when I look at a long regexp.
So without trying to work out that specific PCRE syntax, I'll suggest
two things:
1) Make a generic detection that finds zero or more junk characters
between the text you're looking for. The longer the parent string is,
the less likely you are to have a false positive, e.g.
finding filler between ab
BAD:
a.*b
This is bad because it is too greedy and matches the longest line that
has a then zero or any amount of characters up to the buffer size, and
then a b.
LESS BAD:
a.{0,2}b
This is less bad because we're restricting the count of the wildcard to
0 through 2 characters between the a and the b, but it's still bad
because the string is so short. Even if this were gibberish, you will
likely hit it eventually as a false positive when finding it in the MIME
encoding of a binary file.
AWESOME:
Taking a long string like a phone number and dropping the:
.{0,2}
between each of the bits of text you think the bad guy will try to stuff
with junk, including whitespace. Replace the 2 with however many
characters you think are sensible. I think Declude wants the brace
characters escaped, e.g.:
.\{0,2\}
is the syntax to use in a PCRE.
2) A while back I had to fix some ugly regexp that plain old didn't
work, and I used a Windows shareware app called The Regex Coach and it
worked for me.
http://weitz.de/regex-coach/
Andrew.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Scott Fisher
Sent: Tuesday, July 03, 2007 12:34 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] phone regex/pcre help
I'm looking to replace these lines with a pcre but it doesn't
seem to be working. Any suggestions?
BODY 175 CONTAINS 206 888-2083
BODY 175 CONTAINS 206.8882083
BODY 175 CONTAINS 2068882083
BODY 175 CONTAINS 206-8882083
BODY 175 CONTAINS 206 8882083
BODY 175 PCRE
(?i:[\(\{]?2[0o]6[\)\}]?{\-\_\.\s}?888{\-\_\.\s}?2[0o]83)
Scott Fisher
Dir of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
Tel: 630-462-2323
This email message, including any attachments, is for the sole
use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient,
please contact the sender by reply email and destroy all copies of the
original message. Although Farm Progress Companies has taken reasonable
precautions to ensure no viruses are present in this email, the company
cannot accept responsibility for any loss or damage arising from the use
of this email or attachments.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] all_list.dat
I believe that the data isn't actually corrupt. The crux of the issue: What R Scott Perry objected to when he was the sole programmer was that the EU is a political body, and that the RIPE data should be stating the exact country that the IP allocation is in. If the IP is in the Netherlands, the code should be NL, not EU. http://www.mail-archive.com/declude.junkmail@declude.com/msg22631.html I believe that a declude filter text file with the line: COUNTRIES 1 STARTSWITH EU would have triggered in this case, despite the corrupt RIPE data presentation of the result in the header. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Friday, June 29, 2007 11:25 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] all_list.dat Hi, I understand the dynamic nature of the network assingments. That was why I wrote part 2 of my message. I like to have a way to see how many errors I get about corrupt data. If it's just a few per week, no problem. If it gets to be sever a day maybe it's time for a new all_list.dat. Right now I don't seem to have a way to detect that. :-( Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl - Original Message - From: Gary Steiner mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Friday, June 29, 2007 7:37 PM Subject: re: [Declude.JunkMail] all_list.dat The corrupt RIPE data should be referring to 145.53.30.139. Though if you go to www.ripe.net and do a search, 145.53.0.0/16 is listed as belonging to Planet Technologies with an email address of [EMAIL PROTECTED] and being in The Netherlands. Which is essentially the same as the listing for 213.75.0.0/16. Unfortunately the entries in the RIPE database don't have dates associated with them, so you can't tell if those listings were the same back in May when the all_list.dat was created. The listings change all the time, so essentially the all_list.dat file is outdated as soon as it comes out. And it also doesn't help that RIPE, ARIN, APNIC, LACNIC, etc. are all separate independent entities with separate databases, so when things change Declude has to look in many places to update the all_list.dat. Gary Original Message From: Bonno Bloksma [EMAIL PROTECTED] Sent: Friday, June 29, 2007 4:15 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] all_list.dat Hi, I'm using the all-list.dat from may 2007. Occasionaly I was checking the declude junkmail logs to see if any new problems with unknown networks would arise. But today I found out that information is not in the Declude log at level high. In the headers of a mail I found: X-Country-Chain: 'EU' [corrupt RIPE data]-NETHERLANDS-destination The Received lines are: Received: from hpsmtp-eml16.kpnxchange.com [213.75.38.116] by student.tio.nl with ESMTP (SMTPD-9.21) id A48204B4; Fri, 29 Jun 2007 08:19:46 +0200 Received: from hpsmtp-eml05.kpnxchange.com ([213.75.38.105]) by hpsmtp-eml16.kpnxchange.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 29 Jun 2007 08:19:46 +0200 Received: from colligno601a0c ([145.53.30.139]) by hpsmtp-eml05.kpnxchange.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 29 Jun 2007 08:19:45 +0200 In the loglines for this message there is no mention of corrupt RIPE data which is what I was looking for all the time. So: 1) Can we have a new all_list.dat with updated info please. KPN is a large telco which has 4 ISPs covering the Netherlands. 2) In what way can I detect when the all_list.dat file is getting oudated, when information about networks is missing/corrupt? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This
RE: [Declude.JunkMail] New PDF worm?
SJ, they're not viruses, they're spam sent from zombies. Probably pump and dump stock spam, and if they're like what I've been seeing, they have the same anti-OCR techniques that were previously sent as jpg. http://www.mail-archive.com/[EMAIL PROTECTED]/msg03447.html and: http://isc.sans.org/diary.html?storyid=3012 and: http://www.heise-security.co.uk/news/91523 Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 8:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
I'll suggest an alternative to this. If you're using the CB-ATTACH filter and you want to keep it without giving spammers too much entry, use an END filter with your blacklist tests. If the sender's IP address is in the blacklist, the CB-ATTACH test will stop. This will still counterweight PDF spammers who are not in a blacklist yet, but perhaps that is an acceptable balance to you. TESTSFAILED END CONTAINS XBL TESTSFAILED END CONTAINS SPAMCOP BODY -10 PCRE (?i:Content-Type: application/pdf;) etc. ... Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, June 27, 2007 8:24 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Yes I am seeing the same thing although when I run the pdf through a virus check it comes up clean. I opened one of the files and it was just stock spam. If anyone is running the CB-ATTACH.txt filter I would suggest commenting out this line for now. #BODY -10 PCRE (?i:Content-Type: application/pdf;) Or if you are using an the older filters #BODY -10 CONTAINS Content-Type: application/pdf; See also http://blogs.zdnet.com/security/?p=325 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 11:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Software for copying files with permissions
Sharyn, you might be interested in a more complete tool from Microsoft that is free and was designed with your task in mind: http://www.microsoft.com/downloads/details.aspx?FamilyID=d00e3eae-930a-4 2b0-b595-66f462f5d87bDisplayLang=en It's called the File Server Migration Toolkit, and it takes care of creating the shares, setting permissions and even removing the original shares. There is an emphasis on using DFS, but that is completely optional. Here's a snippet from the online help: Using the File Server Migration Wizard The File Server Migration Wizard is a graphical user interface (GUI) tool for copying files and folders from a source file server to a target file server. The wizard walks you step by step through the copy process, which includes creating a migration project where project-specific settings are stored, monitoring the progress of the file copying, and viewing a final report of the copying results. mk:@msitstore:c:\program%20files\microsoft%20file%20server%20migration% 20toolkit\fsmigrate.chm::/important.gif Important * For information about security and server cluster considerations, see Security considerations ms-its:fsmigrate.chm::/fsct_file_wizard_security.htm and Server cluster considerations ms-its:fsmigrate.chm::/fsct_file_wizard_cluster.htm . The File Server Migration Wizard provides a number of options for copying data. For example, you can: * Copy permission, auditing, and ownership information that is associated with files and folders. * Resolve invalid security descriptors on the target files and folders. * Stop sharing the shared folders on the source file servers after the copying is finalized. * Prestage the target file server-for example, by restoring a backup of the source file server-and then use the wizard to recopy changed files and share the target folders. (To do this, follow the procedure described in the Target Location link in Select servers, shared folders, and settings ms-its:fsmigrate.chm::/fsct_file_Wizard_1a.htm .) * Specify the DFS root server that hosts consolidation roots that are created by the DFS Consolidation Root Wizard. When you select this setting, the links that correspond to each copied folder are updated with the new Universal Naming Convention (UNC) paths of the target folders. * Specify an existing DFS namespace where you want to add DFS links for each copied shared folder. You can select this setting even if you do not use the DFS Consolidation Root Wizard. Note that how you get your users to map these shares and how to switch the server is still up to you, e.g. with login scripts or changing the share for their home drive in your Active Directory (or NT4 Domain Controller). Andrew. p.s. In the last migration I did, I was fortunate to use a product from NetIQ.com called Server Consolidator, part of their NetIQ Migration Suite, and that did the same functionality as the Microsoft FSMT and it was both simple and accurate. I've no idea what it cost. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt Sent: Tuesday, June 26, 2007 6:19 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Software for copying files with permissions If you want to move an entire image to a new machine then I would use Acronis software to image the old server Thanks, I don't want to move the entire image. I just want to take every share that I have on this particular server and move it to a new server with all the permissions intact. Sharyn --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT - Outlook Junk Mail Folder
Dean, I did some Googling for you and found some likely hits, including this from Microsoft: http://office.microsoft.com/en-us/help/HA010450051033.aspx You may find a nugget of advice there for how your campaigns can avoid the filter. Typically, the advice by senders such as yourself is to plea for recipients to add your MAILFROM to their Address Book. For what it's worth, like Kevin, I turn off the Junk E-Mail feature in the corporate Outlook for my 1,000+ users. I do it via Group Policy in our Active Directory; the policies come with the Office Resource Kits. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Lawrence Sent: Tuesday, June 19, 2007 6:11 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] OT - Outlook Junk Mail Folder Hi All, I have a client that we generate mailings for and one of their messages is for some reason being placed in the Outlook Junkmail Folder. There is very little to the email and there aren't any Buy nows or anything like that in the message. Declude and Sniffer have no problem with it either. However, Outlook keeps flagging it as junk mail. Does anyone have any ideas as to finding out why Outlook is doing this or how to get around it? Thanks, Dean -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] APEWS
It looks and reads exactly the same as some previous list that I've forgotten about. I haven't tried it... Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Tuesday, June 12, 2007 4:51 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] APEWS What do you all think of APEWS? After reading their website they seem to be a little heavy handed? Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] Changing the way industry works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELP with tqmcube.com
I suggest that you always use a different source IP and sender domain name when contacting the admin for a blacklist, because they often filter their own mail with their blacklist, so they won't see your plea. Stupid, but true. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Thursday, May 24, 2007 10:18 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] HELP with tqmcube.com Our primary mail server is listed by these guys and I have issued a removal request on their web site over 13 days ago. There web site states they normally have a removal request in 4 hours. I have tried to contact them with the email address on their domain registration and also no reply, the phone number on their domain registration has is disconnected. I have also sent an email using their contact page and also no reply. Does anyone know how to contact them. I see the name David Cary Hart on the site and other places on the net. Does anyone have any idea on how to get him to reply? I would really like to know why we are listed and to see a sample message they received that listed us. It is difficult to correct a problem when the organization that states there is a problem will not reply and within their own stated guidelines. Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] Changing the way industry works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] all_list.dat ?
Thanks, David.
It's working fine here!
Andrw 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Thursday, May 17, 2007 9:29 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
New all_list.dat available from the My Account page on
Declude website.
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Thursday, May 17, 2007 9:52 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
Sure, I will see what I can do for early next week.
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Wednesday, May 16, 2007 7:42 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
Hey, David.
Any chance of seeing a refresh of all_list.dat ... It's been
just about
4 months since the last one. Three or four times a year
doesn't sound bad.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck, Andrew
Sent: Thursday, January 18, 2007 9:08 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
Thanks, David.
The early report is that it's working for me.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
David Barker
Sent: Thursday, January 18, 2007 7:37 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
New all_list.dat available on the My Account home page of
Declude. 18
Jan 07 344kB
David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Gary Steiner
Sent: Tuesday, January 09, 2007 4:30 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] all_list.dat ?
David (or any Declude people that may be reading),
Any chance of seeing a new all_list.dat any time soon,
considering the
current one has a date of 6 Jul 06, and considering the
additional
input from this recent thread?
I'm starting to see false positives caused by weights I
previously
gave to IANA Reserved and RIPE Unlisted.
Gary
Original Message
From: Jay Sudowski - Handy Networks LLC
[EMAIL PROTECTED]
Sent: Thursday, January 04, 2007 5:57 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] [IANA Reserved] ?
Indeed. When we obtained our own IP space from ARIN,
it was from
72/8, which had been released only about 6 months prior
to it being
assigned to us. You wouldn't believe the number of
networks that were
running with 72/8 in their bogons list and were
entirely blocking
traffic from our network...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Darrell ([EMAIL PROTECTED])
Sent: Thursday, January 04, 2007 3:47 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] [IANA Reserved] ?
I would be very careful with this. IANA just released (I
believe in
October) 96/8, 97/8, 98/8, 99/8. With the all_list.dat
not being
updated frequently I would tred very lightly in this
area. Part of
96/8 has been handed out.
Darrell
--
-- Check out http://www.invariantsystems.com for utilities
for Declude
And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI
integration, MRTG Integration, and Log Parsers.
- Original Message -
From: S.J.Stanaitis [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Thursday, January 04, 2007 3:29 PM
Subject: RE: [Declude.JunkMail] [IANA Reserved] ?
Nice.
Thanks,
Sam
SJ.Stanaitis - Network Administrator Decorative Product Source
E-commerce Network
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Scott Fisher
Sent: Thursday, January 04, 2007 3:16 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] [IANA Reserved] ?
sending hop only: COUNTRY 0 IS *R
or
all hops: COUNTRIES 0 CONTAINS *R
RE: [Declude.JunkMail] all_list.dat ?
Thanks, David.
It's working fine here!
Andrw 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Thursday, May 17, 2007 9:29 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
New all_list.dat available from the My Account page on
Declude website.
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Thursday, May 17, 2007 9:52 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
Sure, I will see what I can do for early next week.
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Wednesday, May 16, 2007 7:42 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
Hey, David.
Any chance of seeing a refresh of all_list.dat ... It's been
just about
4 months since the last one. Three or four times a year
doesn't sound bad.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck, Andrew
Sent: Thursday, January 18, 2007 9:08 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
Thanks, David.
The early report is that it's working for me.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
David Barker
Sent: Thursday, January 18, 2007 7:37 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
New all_list.dat available on the My Account home page of
Declude. 18
Jan 07 344kB
David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Gary Steiner
Sent: Tuesday, January 09, 2007 4:30 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] all_list.dat ?
David (or any Declude people that may be reading),
Any chance of seeing a new all_list.dat any time soon,
considering the
current one has a date of 6 Jul 06, and considering the
additional
input from this recent thread?
I'm starting to see false positives caused by weights I
previously
gave to IANA Reserved and RIPE Unlisted.
Gary
Original Message
From: Jay Sudowski - Handy Networks LLC
[EMAIL PROTECTED]
Sent: Thursday, January 04, 2007 5:57 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] [IANA Reserved] ?
Indeed. When we obtained our own IP space from ARIN,
it was from
72/8, which had been released only about 6 months prior
to it being
assigned to us. You wouldn't believe the number of
networks that were
running with 72/8 in their bogons list and were
entirely blocking
traffic from our network...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Darrell ([EMAIL PROTECTED])
Sent: Thursday, January 04, 2007 3:47 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] [IANA Reserved] ?
I would be very careful with this. IANA just released (I
believe in
October) 96/8, 97/8, 98/8, 99/8. With the all_list.dat
not being
updated frequently I would tred very lightly in this
area. Part of
96/8 has been handed out.
Darrell
--
-- Check out http://www.invariantsystems.com for utilities
for Declude
And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI
integration, MRTG Integration, and Log Parsers.
- Original Message -
From: S.J.Stanaitis [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Thursday, January 04, 2007 3:29 PM
Subject: RE: [Declude.JunkMail] [IANA Reserved] ?
Nice.
Thanks,
Sam
SJ.Stanaitis - Network Administrator Decorative Product Source
E-commerce Network
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Scott Fisher
Sent: Thursday, January 04, 2007 3:16 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] [IANA Reserved] ?
sending hop only: COUNTRY 0 IS *R
or
all hops: COUNTRIES 0 CONTAINS *R
RE: [Declude.JunkMail] all_list.dat ?
Thanks, David.
It's working fine here!
Andrw 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Thursday, May 17, 2007 9:29 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
New all_list.dat available from the My Account page on
Declude website.
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Thursday, May 17, 2007 9:52 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
Sure, I will see what I can do for early next week.
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Wednesday, May 16, 2007 7:42 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
Hey, David.
Any chance of seeing a refresh of all_list.dat ... It's been
just about
4 months since the last one. Three or four times a year
doesn't sound bad.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck, Andrew
Sent: Thursday, January 18, 2007 9:08 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
Thanks, David.
The early report is that it's working for me.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
David Barker
Sent: Thursday, January 18, 2007 7:37 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
New all_list.dat available on the My Account home page of
Declude. 18
Jan 07 344kB
David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Gary Steiner
Sent: Tuesday, January 09, 2007 4:30 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] all_list.dat ?
David (or any Declude people that may be reading),
Any chance of seeing a new all_list.dat any time soon,
considering the
current one has a date of 6 Jul 06, and considering the
additional
input from this recent thread?
I'm starting to see false positives caused by weights I
previously
gave to IANA Reserved and RIPE Unlisted.
Gary
Original Message
From: Jay Sudowski - Handy Networks LLC
[EMAIL PROTECTED]
Sent: Thursday, January 04, 2007 5:57 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] [IANA Reserved] ?
Indeed. When we obtained our own IP space from ARIN,
it was from
72/8, which had been released only about 6 months prior
to it being
assigned to us. You wouldn't believe the number of
networks that were
running with 72/8 in their bogons list and were
entirely blocking
traffic from our network...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Darrell ([EMAIL PROTECTED])
Sent: Thursday, January 04, 2007 3:47 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] [IANA Reserved] ?
I would be very careful with this. IANA just released (I
believe in
October) 96/8, 97/8, 98/8, 99/8. With the all_list.dat
not being
updated frequently I would tred very lightly in this
area. Part of
96/8 has been handed out.
Darrell
--
-- Check out http://www.invariantsystems.com for utilities
for Declude
And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI
integration, MRTG Integration, and Log Parsers.
- Original Message -
From: S.J.Stanaitis [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Thursday, January 04, 2007 3:29 PM
Subject: RE: [Declude.JunkMail] [IANA Reserved] ?
Nice.
Thanks,
Sam
SJ.Stanaitis - Network Administrator Decorative Product Source
E-commerce Network
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Scott Fisher
Sent: Thursday, January 04, 2007 3:16 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] [IANA Reserved] ?
sending hop only: COUNTRY 0 IS *R
or
all hops: COUNTRIES 0 CONTAINS *R
RE: [Declude.JunkMail] all_list.dat ?
Thanks, David.
It's working fine here!
Andrw 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Thursday, May 17, 2007 9:29 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
New all_list.dat available from the My Account page on
Declude website.
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Thursday, May 17, 2007 9:52 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
Sure, I will see what I can do for early next week.
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck, Andrew
Sent: Wednesday, May 16, 2007 7:42 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
Hey, David.
Any chance of seeing a refresh of all_list.dat ... It's been
just about
4 months since the last one. Three or four times a year
doesn't sound bad.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck, Andrew
Sent: Thursday, January 18, 2007 9:08 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
Thanks, David.
The early report is that it's working for me.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
David Barker
Sent: Thursday, January 18, 2007 7:37 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] all_list.dat ?
New all_list.dat available on the My Account home page of
Declude. 18
Jan 07 344kB
David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Gary Steiner
Sent: Tuesday, January 09, 2007 4:30 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] all_list.dat ?
David (or any Declude people that may be reading),
Any chance of seeing a new all_list.dat any time soon,
considering the
current one has a date of 6 Jul 06, and considering the
additional
input from this recent thread?
I'm starting to see false positives caused by weights I
previously
gave to IANA Reserved and RIPE Unlisted.
Gary
Original Message
From: Jay Sudowski - Handy Networks LLC
[EMAIL PROTECTED]
Sent: Thursday, January 04, 2007 5:57 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] [IANA Reserved] ?
Indeed. When we obtained our own IP space from ARIN,
it was from
72/8, which had been released only about 6 months prior
to it being
assigned to us. You wouldn't believe the number of
networks that were
running with 72/8 in their bogons list and were
entirely blocking
traffic from our network...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Darrell ([EMAIL PROTECTED])
Sent: Thursday, January 04, 2007 3:47 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] [IANA Reserved] ?
I would be very careful with this. IANA just released (I
believe in
October) 96/8, 97/8, 98/8, 99/8. With the all_list.dat
not being
updated frequently I would tred very lightly in this
area. Part of
96/8 has been handed out.
Darrell
--
-- Check out http://www.invariantsystems.com for utilities
for Declude
And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI
integration, MRTG Integration, and Log Parsers.
- Original Message -
From: S.J.Stanaitis [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Thursday, January 04, 2007 3:29 PM
Subject: RE: [Declude.JunkMail] [IANA Reserved] ?
Nice.
Thanks,
Sam
SJ.Stanaitis - Network Administrator Decorative Product Source
E-commerce Network
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Scott Fisher
Sent: Thursday, January 04, 2007 3:16 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] [IANA Reserved] ?
sending hop only: COUNTRY 0 IS *R
or
all hops: COUNTRIES 0 CONTAINS *R
RE: [Declude.JunkMail] all_list.dat ?
Hey, David. Any chance of seeing a refresh of all_list.dat ... It's been just about 4 months since the last one. Three or four times a year doesn't sound bad. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, January 18, 2007 9:08 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] all_list.dat ? Thanks, David. The early report is that it's working for me. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, January 18, 2007 7:37 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] all_list.dat ? New all_list.dat available on the My Account home page of Declude. 18 Jan 07 344kB David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, January 09, 2007 4:30 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] all_list.dat ? David (or any Declude people that may be reading), Any chance of seeing a new all_list.dat any time soon, considering the current one has a date of 6 Jul 06, and considering the additional input from this recent thread? I'm starting to see false positives caused by weights I previously gave to IANA Reserved and RIPE Unlisted. Gary Original Message From: Jay Sudowski - Handy Networks LLC [EMAIL PROTECTED] Sent: Thursday, January 04, 2007 5:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] [IANA Reserved] ? Indeed. When we obtained our own IP space from ARIN, it was from 72/8, which had been released only about 6 months prior to it being assigned to us. You wouldn't believe the number of networks that were running with 72/8 in their bogons list and were entirely blocking traffic from our network... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, January 04, 2007 3:47 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [IANA Reserved] ? I would be very careful with this. IANA just released (I believe in October) 96/8, 97/8, 98/8, 99/8. With the all_list.dat not being updated frequently I would tred very lightly in this area. Part of 96/8 has been handed out. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: S.J.Stanaitis [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, January 04, 2007 3:29 PM Subject: RE: [Declude.JunkMail] [IANA Reserved] ? Nice. Thanks, Sam SJ.Stanaitis - Network Administrator Decorative Product Source E-commerce Network -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, January 04, 2007 3:16 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [IANA Reserved] ? sending hop only: COUNTRY 0 IS *R or all hops: COUNTRIES 0 CONTAINS *R - Original Message - From: S.J.Stanaitis [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, January 04, 2007 1:55 PM Subject: RE: [Declude.JunkMail] [IANA Reserved] ? Holy [EMAIL PROTECTED], that answers one question! Any idea how to incorporate the IANA Reserved thing into Declude? Thanks, Sam SJ.Stanaitis - Network Administrator Decorative Product Source E-commerce Network -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, January 04, 2007 2:37 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [IANA Reserved] ? Here are my december totals for the odd-balls (COUNTRY IS test) Country Name CountOfMessageID DEL SPAM HELD SPAM Poss SPAM OK APNIC Unlisted 97 97 0 0 0 ARIN Unlisted 1426 1395 12 1 18 Central/South America 89 89 0 0 0 European Union 1804 1674 8 1 121 IANA Reserved 11677 11428 91 118 39 Multi-Regional 23 19 1 1 2 RIPE Unlisted 1332 1330 1 1 0 Unknown 4018 3938 13 3 64 # # Special Codes # #*1 Multi-Regional #*2 Europe #*3 North America #*4 Central/South America #*5 Pacific Rim
RE: [Declude.JunkMail] Phishing
Without my so much as glancing at the potential false positives, this is
a treasure trove or actual phishing URLs:
http://www.phishtank.com/phish_archive.php
A glance at which tells me that another useful PCRE would be to (pseudo
code follows):
IPADDRESS then (/ character) then stuff including DOMAIN NAME then (end
of line OR / character)
Andrew.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Tuesday, May 15, 2007 2:31 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Phishing
BODY 15 PCRE(http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/))
This is a regular expression. This is a little more
complicated than a straight filter but essentially I am
looking for any URL that has a .com in the middle and then
ends with a different domain extension. It will match on
this:
http://session-2825275860.nationalcity.com.juuje.io/
If you had to do a standard filter I would do something like:
BODY 5 CONTAINShttp://session-
BODY 10 CONTAINS.io/
Some examples of matches (not sure of the levels on FP's yet)
05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter
FILTER-PHISH :
http://session-401758.nationalcity.com.bigj.at/
05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter
FILTER-PHISH :
http://interactsession-64236.regions.com.usersetup.cn/
05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter
FILTER-PHISH :
http://interactsession-0330189132.regions.com.usersetup.tw/
05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter
FILTER-PHISH :
http://session-10067.nationalcity.com.portfast.cn/
05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter
FILTER-PHISH :
http://interactsession-644893.regions.com.usersetup.io/
05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter
FILTER-PHISH :
http://session-8434556.nationalcity.com.05server.cn/
David Barker
VP Operations | Declude
Your Email Security is our business
O: 978.499.2933 x7007
F: 978.988.1311
E: [EMAIL PROTECTED]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be
found at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam reduction ?
The last two weekends were noticeably quiet compared to the weekdays. Judging from the number and flavour of blowback bounce messages I see, the bad guys are concentrating on fewer campaigns but at higher volumes. The general trend is still up. Spam volumes climbed at increasing rates up to Christmas, then dropped sharply after New Year's. February was a low point (but only as low as mid-October 2006) and have been rising again since. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Friday, May 04, 2007 8:55 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam reduction ? Anyone else seeing a major reduction is spam the past week ? I usually see about 14-15k messages daily, but since Monday have dropped off to about 8k... Did the recent arrests and law suits have a result this early ? Karl Drugge B.S.I.T., A.S., M.C.S.E. ( NT 4.0, 2000, 2003 ), M.C.S.A. ( 2000 + 2003 ), C.C.N.A., Network+, A+ I dream of the day when I will learn to stop asking questions to which I will regret learning the answers ( Roy Greenhilt, Order of the Stick ) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Ever legit?
Robert, you would use a filter file for this, e.g. #First, escape this file if the source is on your own network REMOTEIP END CIDR 208.100.26.0/24 REMOTEIP END CIDR 192.168.0.0/24 #Skip this whole test if we are already above a hold weight of 20 SKIPIFWEIGHT 25 #Apply a maximum total weight of 20 points MAXWEIGHT 20 #These three penalty weights were constructed to prevent #false positives where you are penalizing a hypothetical #legitimate host, e.g. outbound.forgive.com #Apply a penalty if the forged HELO is your exact domain name HELO 20 IS igive.com #Apply a penalty if the forged HELO contains a host in your domain name HELO 20 ENDSWITH .igive.com #Apply a tiny penalty if the HELO, forged or not, contains your domain HELO 3 ENDSWITH give.com I suggest that you always make the weights heavy enough to hold the message, because if you delete it and it was a false positive, you can't recover it. A variation of this would be to get rid of the third test, and only keep the first two. Then set the weight to say, a single point instead of 20. Then in your global.cfg or your domain specific file, specify an action of HOLD. Declude gives you a lot of flexibility to design the test you want, but this scratches this surface. I hope that helps, Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Thursday, April 26, 2007 1:45 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Ever legit? Hi We get e-mails that contain the following header (or something similar): Received: from igive.com [71.250.241.101] by smtp.igive.com with ESMTP (SMTPD-9.20) The 71.xxx.xxx.xxx isn't ours. That IP can vary, but it is never ours. Are there any legit mailers that would send something in this form? If not, what's the best way to score this over my delete weight? Thanks, Rob --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE
My only two cents on this: If I were David Barker I would have: - Pulled out the bad package - Rolled a new package (with an incremented version number) with the missing DLL, tested the package succesfully and posted it to the website for downloaded - Checked my shopping cart or web logs and found out which customers had downloaded the bad version of the package - Contacted only those customers by phone and email; when there is an email problem, email is a lousy communications channel I would have updated the Whats New web page. I *may* then also notify both support mailing lists. The rest is so much sturm und drang. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, April 17, 2007 9:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE So far this issue has effected 2 people. John and Dave. If there were 10's of others I can see your point however I am not emailing 4500 users when this is no longer an issue. It is because of people on these lists that provide us with good feedback, input and their 2 cents, that helps us provide a better service to the majority of users. In short thanks too John we did not have to send a second email. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Tuesday, April 17, 2007 11:48 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE David, I normally do not put in my 2 cents worth to general discussions, but would like to this time just to help clarify the intent, as I see it, of the original request. Although I am a pretty avid (sp?) user of the forums/groups, I cannot imagine EVERYONE that is on the email distribition list is a frequent visitor to such. Those that are not will not learn of the mistakenly left out DLL file unless another email blast goes out. Randy Armbrecht Global Web Solutions, Inc. 804-442-5300 From: David Barker [EMAIL PROTECTED] Sent: Tuesday, April 17, 2007 10:33 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE The issue was corrected prior to notifying all customers, and therefore we did not need to send out a secondary email. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, April 17, 2007 10:18 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE Hi David, Thank you for addressing the AVG problem as quickly as you did. I also think Declude is doing a good stuff on the Virus and Spam lists and I have no problem how yesterday's communication was handled on the virus list. However, I thought I had received a direct HTML formatted customer notice, with logos as such (not just via the regular virus list) urging the install of the new version (but I no longer have those emails). So I had understood Dave that he was expecting the warning - bad install email to be sent through that same distribution. I only hope that I don't remember wrong and wasn't looking at some older notice. Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, April 17, 2007 9:49 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE Andy and Dave, I had posted to the virus list as a courtesy giving everyone on the virus list the heads up before actually notifying all our customers. And yes I did post to the virus list again once John had identified the issue and it was corrected immediately, this all happened within a 25 minute time frame, I think it is unfortunate that perhaps you downloaded the Imail version during that window, and were upgrading from a version prior to the last release 4.3.40, that being said I do understand that it was annoying :) and I sincerely apologize for the inconvience. David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, April 17, 2007 9:29 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE John, I think the point Dave is making is: They did notify all clients individually about the availability of the new version, urging them to act immediately! However, when they managed to release
RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
The Administrators who should be applying the workaround are precisely the same Administrators that have accidentally allowed inbound connections on arbitrary ephemeral ports, i.e. if they clumsily opened connections as per Darryl's suggestion of how/why this lack of firewalling might happen. If you are not sure, then apply the workaround. If you are sure, but like a belt and suspenders approach and can live without using the MMC snap-in to remotely manage your DNS server, apply the workaround. Normal DNS traffic, including zone transfers, are not affected. I've provided the requisite registry entries as text file attachments. Rename from .txt to .reg and apply the disable registry file, then stop and start the DNS service. Then test your DNS with a query or two, and test if the MMC snap-in can truly not manage from a remote machine if you are so inclined. It worked for me. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 11:53 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution Sounds then like it should be more specific. It would seem to make sense not to expose services such as DNS, which run as SYSTEM and has full rights, to RPC traffic on variably assigned ports higher than 1024. Maybe that makes more sense. We're awfully lucky that stateful firewalls evolved and became generally available before worms became prolific. Based on what SANS says, they recommend option #1 of the recommendations that says Disable remote management over RPC for the DNS server via a registry key setting. at https://isc.sans.org/diary.html?storyid=2627 It would also seem that if one is not running Windows DNS, then you are not at risk from this particular threat. Note that this bug has the potential of becoming another Code Red/Nimda/SQL Slammer if it is worm-ified and pushed out before the eventual Windows Update is widely implemented. Seems that spammers are more interested in owning boxes rather than wreaking widespread havoc with worms these days though. Matt Sanford Whiteman wrote: It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a feature. RPC endpoints always choose dynamic ports in the customary ephemeral range, not the reserved range. This is by definition and common sense. RPC is not a Microsoft invention. It was pioneered by Xerox Sun and was implemented using the same basic model across many OSs. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/rel ease/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/dow nload/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/downloa d/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters] RpcProtocol=- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters] RpcProtocol=dword:0004 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED],
RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
Just curious...wouldn't it make sense to apply the patch unless one's DNS server is firewalled both internally and externally? Definitely! I'd go as far as to say that it is reasonable to apply the same security concepts to your internal network as you do for your external network and DMZ. You simply can't trust that the bad guys are always kept outside the network; many breaches come from the inside, and one compromised host will certainly have too much privilege on the internal network. Few administrators firewall and monitor their internal traffic. In my corporate day job, I've seen far too many networks that are built like an igloo: hard and crunchy on the outside, soft and chewy on the inside. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 12:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution Just curious...wouldn't it make sense to apply the patch unless one's DNS server is firewalled both internally and externally? We have seen botnet owners launch high volume trojan campaigns at the drop of a hat, and if it is in fact the botnet owners that are going to exploit this, it would seem that they could attack from clients within one's network. It's a much less likely scenario than the worm or direct Internet attack approaches, but it certainly would still seem to be a vulnerability. I suppose that it may depend on how ultimately important security is for one's organization, after all, we don't all use retinal scanners to unlock our doors :) Keep in mind that this was detected in the wild 7 days before Microsoft even released the advisory. The original posts say that the traffic looks similar to Blaster worm traffic. Here's what happened back in 2003 with that one...note that it hit one month after the advisory and that one was using ports 1024, though fixed ports that are easier to target if open: http://isc.sans.org/diary.html?date=2003-08-11 Matt Colbeck, Andrew wrote: The Administrators who should be applying the workaround are precisely the same Administrators that have accidentally allowed inbound connections on arbitrary ephemeral ports, i.e. if they clumsily opened connections as per Darryl's suggestion of how/why this lack of firewalling might happen. If you are not sure, then apply the workaround. If you are sure, but like a belt and suspenders approach and can live without using the MMC snap-in to remotely manage your DNS server, apply the workaround. Normal DNS traffic, including zone transfers, are not affected. I've provided the requisite registry entries as text file attachments. Rename from .txt to .reg and apply the disable registry file, then stop and start the DNS service. Then test your DNS with a query or two, and test if the MMC snap-in can truly not manage from a remote machine if you are so inclined. It worked for me. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 11:53 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution Sounds then like it should be more specific. It would seem to make sense not to expose services such as DNS, which run as SYSTEM and has full rights, to RPC traffic on variably assigned ports higher than 1024. Maybe that makes more sense. We're awfully lucky that stateful firewalls evolved and became generally available before worms became prolific. Based on what SANS says, they recommend option #1 of the recommendations that says Disable remote management over RPC for the DNS server via a registry key setting. at https://isc.sans.org/diary.html?storyid=2627 It would also seem that if one is not running Windows DNS, then you are not at risk from this particular threat. Note that this bug has the potential of becoming another Code Red/Nimda/SQL Slammer if it is worm-ified and pushed out before the eventual Windows Update is widely implemented. Seems that spammers are more interested in owning boxes rather than wreaking widespread havoc with worms these days though. Matt Sanford Whiteman wrote: It is also odd and possibly grossly incompetent of Microsoft to choose
RE: [Declude.JunkMail] Imail Anti-spam
I'm biased in favour of Declude, too. What I find is that there is NO test that is perfect, so Declude's weighted system is the right fit for me. Last time I bothered to look, all of IMail's features were weak copycats of Declude and/or industry standard tests, and a SINGLE triggered feature would cause the message to be flagged as spam. I don't need false positives, I already have a fulltime job. So I don't use SINGLE tests as an indicator of spam, and therefore, I don't use the IMail tests. I do however use the kill list in IMail, so that from certain MAILFROM addresses, the rest of my IMail and Declude never have to deal with their mail. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, April 11, 2007 9:33 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Imail Anti-spam None of Imails features. But then I am probably biased ;) David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Wednesday, April 11, 2007 12:33 PM To: Declude. JunkMail Subject: [Declude.JunkMail] Imail Anti-spam We are running IMAIL 8.22 and I am looking at the Anti-spam features. We are also running declude. Which Anti-spam features do people find good to turn on in Imail versus Declude? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please
You're safe, Robert. I've seen this part in spam sent to my domain for about a year: Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ The gibberish in the received block is a definite spam signature and is entirely fake. The army isn't going to be breaking down your door and making you eat this spam. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, March 16, 2007 7:39 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Bounce / Spoof Analysis Help Please Hi We're seeing bounce messages similar to the following. I don't think our server has been compromised, but I want to be sure. We legitimately send mail from 208.100.26.91, but I think (hope) its appearance in the following is spoofed. --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil The-original-message-was-received-at-Fri,-16-Mar-2007-08: 55:31 -0400 (EDT) - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED]) - Transcript of session follows - ... when talking to ahrc00bh0106287.nae.ds.army.mil. while trying to contact hrcmail.hoffman.army.mil.: DATA 550 5.7.1 Unable to relay for [EMAIL PROTECTED] 550 5.1.1 [EMAIL PROTECTED]... User unknown 554 5.5.2 No valid recipients --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/delivery-status Reporting-MTA: dns; hrcpro21.hoffman.army.mil Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.7.1 Remote-MTA: DNS; hrcmail.hoffman.army.mil Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT) --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/rfc822 Return-Path: [EMAIL PROTECTED] Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl [89.78.68.55]) by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425; Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060 From: Effie Drummond To: [EMAIL PROTECTED] Subject: Choosing Online Pharmacy. Date: Fri, 16 Mar 2007 12:55:33 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_000E_01C767D2.C434B490 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message X-Antivirus-Status: Clean x-scc-prev-hop: 89.78.68.55 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE FILTERING
This was an old, old feature request/bug fix from back in the
Scott days, where it was desired not include encoded base64
I requested this as a change long ago for two reasons:
1) To avoid false positives where search text matches the MIME or UUENCODE
formatting
2) To provide an instant speed up in BODY and ANYWHERE processing because
Declude has less text to match, in particular when MIME encoding text is being
searched for, say, an encoded PDF, DOC or JPG.
It may also have the additional benefit of being more accurate:
3) To provide for fewer false negatives, because the string size is more
complete with the body text.
I don't know how it was truly programmed, but the operational explanation from
Scott years ago, Declude decodes the message and strips various formattings,
concatenates it all into a very large string, and that is what the BODY and
ANYWHERE filters search against.
This lets Declude do a BODY match where the text is obfuscated inside of HTML,
because the HTML tags are stripped, and likewise, should catch a phrase which
is split by a linefeed.
I recognized that this was a major coding change, but I thought it would be
beneficial for power users to specify the layer at which the text searching
is done, e.g.
Message(Original message format with all the warts)
MessageFixed (Illegal characters stripped and line formats fixed)
MessageDecoded (MIME and UUENCODE converted back to 8 bit ASCII)
Text (Only the text attachments specified, not graphics
and not documents or other binary attachments)
TextStripped (HTML stripped out, white space collapsed)
I've removed HTML deobfuscation as a layer to this onion, as that is too
specfic of a spammer technique, and is adequately covered by creative PCRE if
the last two text layers are available.
The MessageDecoded layer might is probably sufficiently represented by just the
bones of the message, the text that makes up the framework of the message such
as the header lines and the MIME Content-Type and boundary lines, without the
actual text contents and without the attachments.
In the many years that I've used Declude (and been preceeded by power users
such as Sandy, Matt, and John [and superseded by Scott]) nobody has ever wanted
to match text against the representation of an attachment, e.g. to match text
against the representation of an executable, a specific virus, or the header of
a TIFF file.
Andrew.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Matt
Sent: Wednesday, March 14, 2007 9:21 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] PCRE FILTERING
Dave,
This was an old, old feature request/bug fix from back in the
Scott days, where it was desired not include encoded base64
content on BODY searches (decoded content was desired). The
work around for this it to add a separator to the end of the
filter such as a period, comma, space, tab, or left HTML bracket.
It would also help to specify what format the BODY data would
come in, for instance is a line break in the original
processed by the regular expression as a line break? It
would be hugely beneficial to regular expressions to take the
BODY content and strip out all line breaks, replacing them
with spaces for the purpose of filtering with regex.
Maybe it is time to create another variable for body content
that is more regex friendly? That should be easy enough to do.
Matt
David Barker wrote:
We can certainly look at doing something like that,
currently I am using
this line:
BODYEND CONTAINS
Content-Transfer-Encoding: base64
David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Scott
Fisher
Sent: Wednesday, March 14, 2007 10:15 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] PCRE FILTERING
I'm seeing hits in the attachments too.
Triggered ANYWHERE PCRE filter REGEX-KEYWORDS :
vHXAH51eG1ujzM (valium)
It would be real nice to be able to search the body without
the attachments
like this.
BODYONLY 25 PCRE
(?i:v.{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}[vu].{0,2}m)
Being able to search the body without the attachments would
also be a time
saver on those BODY filters.
- Original Message -
From: David Barker [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Tuesday, March 13, 2007 11:24 AM
Subject: [Declude.JunkMail] PCRE FILTERING
Wanted to give a sample of how the new Regular Expressions
are identifying
patterns, here is a log snip on a few patterns for Drugs:
ANYWHERE PCRE filter FILTER-DRUGS : C1al.is [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : C1alis is [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED] [weight - 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cia1is s [weight - 5]
ANYWHERE PCRE filter
RE: [Declude.JunkMail] Declude/Sniffer Issues
In my declude.cfg I have set the: AUTOREVIEW OFF which is the default for this directive. I've seen a poison email that makes Declude crash or stop quietly, and AUTOREVIEW ON just puts the poison email back in the queue again. You may find that there are c:\declude.gp1 and c:\declude.gp2 files on your crashed system, with corresponding decMMDD.log entries. I'm not entirely sure if the cause is actually the same, but I've also seen two Declude systems that were hosed by too much traffic; there were literally over a hundred CSCRIPT.EXE and SNIFFER.EXE child processes orphaned with each orphan allocated only 48KB in Task Manager. I've only ever seen that particular orphan behaviour on Declude based systems. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Patterson Sent: Monday, February 19, 2007 11:20 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude/Sniffer Issues When this issue happens which seems more frequent, I do clear out the thousands of left behind files. I am more trying to find a way to prevent it or reason that is happening. And yes, Sniffer does have a hard time operating when it hoses up that bad. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, February 19, 2007 1:40 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude/Sniffer Issues Chris, I am gathering that you are running Sniffer in persistant mode? I would stop your declude and Sniffer services. Than go into the sniffer directory and remove all of the *.fin, *.svr files. I am not sure what the .xxx files are. I have yet to see those. Than I would check your Sniffer log for any errors. After making sure there are no errors I would restart the Sniffer persistant service and Declude and see if the issue is resolved. It's possible Sniffer could be stepping on itself trying to weed through all those files. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 1:03 PM Subject: RE: [Declude.JunkMail] Declude/Sniffer Issues I get this in logs: 02/19/2007 05:16:12.213 23859386 ERROR: External program SNIFFER didn't finish quick enough; terminating. 02/19/2007 05:16:12.213 23859386 Couldn't get external program exit code At this point I see thousands of .xxx and .fin files built up in the sniffer directory. Usually forcing a sniffer update (normally done every hour automatically). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, February 19, 2007 9:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude/Sniffer Issues What are you seeing the logs that indicates this? Declude will terminate long running external processes and log that it terminated it. Are you seeing those entries? Also, during these times when you look at task manager do you see a bunch of idle sniffer processes? Typically from my experience when you see all the threads being used with very little to no CPU usage it tends to be a DNS issue (i.e slow or not responding DNS server). Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 8:47 AM Subject: [Declude.JunkMail] Declude/Sniffer Issues I am running 2 versions of Smartermail Declude both running Sniffer and InvURIBL. One is Smartermail4/Declude4.3.3 Other is Smartermail2/Declude3.
RE: [Declude.JunkMail] dns attacks today
FWIW, Paul Parisi is not only the CTO of DNSStuff.com but is also the CTO of Declude.com ... Which helped me frame David's reply! http://www.declude.com/site/news1017.htm http://www.boston.com/business/whoswhat/2006/12/declude_newbury.html Andrew. p.s. I ran a whois on a few typo variations on DNSStuff.com out of curiousity and got a few different domain squatters. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, February 08, 2007 5:55 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] dns attacks today Don't panic Darin, Scott is still involved with DNSStuff, just not in a PR role. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, February 07, 2007 5:59 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] dns attacks today So where's Scott in this picture? And who's Paul Parisi, other than CTO of DNSstuff.com? Is Scott selling DNSstuff and DNSreport as well? Darin. - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, February 07, 2007 5:06 PM Subject: [Declude.JunkMail] dns attacks today fyi - http://www.darkreading.com/document.asp?doc_id=116685WT.svl=news2_1 -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAM reductions ?
Karl, maybe your spam slowdown is because of the lame delegation of two out of three of your DNS servers listed in your WHOIS. http://www.dnsreport.com/tools/dnsreport.ch?domain=casselberry.org How long have you not been using the DNS servers at twtelecom.net ? Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Wednesday, January 31, 2007 5:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SPAM reductions ? Anyone seeing a reduction in incoming SPAM ? I've been looking at my morning reports, and my incoming mail is off by 30 percent or so for the past two weeks. Typically, I'll see 12-15k messages a day, but lately it's been 9-12k. I can't believe I'm the only lucky one... Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Corrupt HELO causes fall-through of a spammy message?
One of my users received a spammy message which accumulated enough weight to reach our HOLD action. What I think happened is that the HELO, which has various high-bit characters which are illegal in a HELO caused bad parsing of that line in the header... The BADHEADERS and HELOBOGUS were both tripped, but this email (which came from a zombie, therefore only one hop in the header) listed the remote IP as [0.0.0.0] If the remote IP was detected correctly, the DNS tests would have lit up like a Christmas tree, because the IP is a zombie that has been running for some time. On logging level HIGH, Declude only logged two lines: 01/26/2007 21:50:13.793 qe80700f93d7a.smd BADHEADERS:6 HELOBOGUS:5 DYNHELO:6 SNIFFERMEDIA:11 SNIFFERANY:1 (snip) . Total weight = 41. 01/26/2007 21:50:13.793 qe80700f93d7a.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN I've bundled up the message, the Declude and IMail log lines and sent them to Declude Support. Andrew. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] all_list.dat ?
Thanks, David. The early report is that it's working for me. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, January 18, 2007 7:37 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] all_list.dat ? New all_list.dat available on the My Account home page of Declude. 18 Jan 07 344kB David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, January 09, 2007 4:30 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] all_list.dat ? David (or any Declude people that may be reading), Any chance of seeing a new all_list.dat any time soon, considering the current one has a date of 6 Jul 06, and considering the additional input from this recent thread? I'm starting to see false positives caused by weights I previously gave to IANA Reserved and RIPE Unlisted. Gary Original Message From: Jay Sudowski - Handy Networks LLC [EMAIL PROTECTED] Sent: Thursday, January 04, 2007 5:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] [IANA Reserved] ? Indeed. When we obtained our own IP space from ARIN, it was from 72/8, which had been released only about 6 months prior to it being assigned to us. You wouldn't believe the number of networks that were running with 72/8 in their bogons list and were entirely blocking traffic from our network... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, January 04, 2007 3:47 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [IANA Reserved] ? I would be very careful with this. IANA just released (I believe in October) 96/8, 97/8, 98/8, 99/8. With the all_list.dat not being updated frequently I would tred very lightly in this area. Part of 96/8 has been handed out. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: S.J.Stanaitis [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, January 04, 2007 3:29 PM Subject: RE: [Declude.JunkMail] [IANA Reserved] ? Nice. Thanks, Sam SJ.Stanaitis - Network Administrator Decorative Product Source E-commerce Network -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, January 04, 2007 3:16 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [IANA Reserved] ? sending hop only: COUNTRY 0 IS *R or all hops: COUNTRIES 0 CONTAINS *R - Original Message - From: S.J.Stanaitis [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, January 04, 2007 1:55 PM Subject: RE: [Declude.JunkMail] [IANA Reserved] ? Holy [EMAIL PROTECTED], that answers one question! Any idea how to incorporate the IANA Reserved thing into Declude? Thanks, Sam SJ.Stanaitis - Network Administrator Decorative Product Source E-commerce Network -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, January 04, 2007 2:37 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [IANA Reserved] ? Here are my december totals for the odd-balls (COUNTRY IS test) Country Name CountOfMessageID DEL SPAM HELD SPAM Poss SPAM OK APNIC Unlisted 97 97 0 0 0 ARIN Unlisted 1426 1395 12 1 18 Central/South America 89 89 0 0 0 European Union 1804 1674 8 1 121 IANA Reserved 11677 11428 91 118 39 Multi-Regional 23 19 1 1 2 RIPE Unlisted 1332 1330 1 1 0 Unknown 4018 3938 13 3 64 # # Special Codes # #*1 Multi-Regional #*2 Europe #*3 North America #*4 Central/South America #*5 Pacific Rim #*A ARIN Unlisted (North America/South Africa) #*B Public Data Network #*E RIPE Unlisted (Europe, North Africa, Middle East) #*I Private IP #*L Loopback #*M Multicast #*P APNIC Unlisted (Asia Pacific) #*R IANA Reserved #*U Unknown - Original Message - From: S.J.Stanaitis [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, January 04, 2007 1:02 PM Subject: [Declude.JunkMail] [IANA Reserved] ? I currently tag each incoming email from a country other than the US (with few exceptions) with a weight of 10. Some
RE: [Declude.JunkMail] WAY OT: Registry Repair
Hmm, I've no faith that regedit will report a permissions problem as such and not as a generic error. I noted that you said in your first post that you also tried to rename/delete the parent tree but you get an error when it gets to the Run key. Did you use the Advanced button at the level: In order to take Ownership, and apply to the children, so that you certainly have privileges? Have you tried to remove the key this way: reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /f Have you tried it as SYSTEM by closing all copies of regedit and doing this from the console session (in case you're using RDP): at 9:00AM /interactive c:\windows\regedit.exe to get a copy of regedit.exe running as the SYSTEM account? Beyond that, um, no, I've never heard of a 3rd party tool that can edit the registry file directly. If you boot from an install CD, you can choose the first Repair option to repair the various hives, but whether that does a check and correct to really fix a corrupt file, I don't know. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, December 18, 2006 9:48 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] WAY OT: Registry Repair Yes, if it was that easy. Initially I had also figured it was just a permission problem. Eventually, I looked closer and realized that I never do get any message that seems to imply permission problems - the message is always that the key cannot be opened. Even trying to acess the Permissions gives me the open error - NO chance to perform any permission functions. When I access the permissions of the parent key and try to reset the child permissions (or just Child ownership) - I get an error when indicating that it can't do so for Run. - Original Message - From: Colbeck, Andrew mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, December 18, 2006 06:33 PM Subject: RE: [Declude.JunkMail] WAY OT: Registry Repair Andy, five will get you ten that it is the permissions that are mangled, not the key itself. Run RegEdit.exe and right-click on the Run key, then choose Permissions. Go into the Advanced button and choose to Inherit from parent... and the permissions should get fixed up. You should see: AllowUsers (local machine name) Read AllowPower Users (local machine name)Special AllowAdministrators (local machine name) Full Control AllowSYSTEM Full Control AllowCREATOR OWNER Full Control Aside from administrative error, the only times I've seen the permissions modified on this part of the registry is if the bad guys are trying to retain control of a 'bot. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, December 18, 2006 3:01 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] WAY OT: Registry Repair Hi, noticed today that HKLM\Software\Microsoft\Windows\CurrentVersion\Run no longer opens (while logged on as the workstation's admin). I can export the parent key - which will contain everything EXCEPT the run key. But, then I can neither delete or rename the run key. Renaming/deleting the parent will appear to work at first - until it reaches the Run subkey - then it will again report that it cannot access that key. So - I am suspecting that the Run key is corrupt. It can't be read, edited, deleted or renamed. I looked at some registry repair tools, but they all seem to be Registry Optimizing tools in disguise that fix logical problems in the registry (registries with too much or supposedly bad information). Does anyone know of a tool (for XP) that will allow me to eliminate this bad key from the registry index somehow so that I can just reimport the rest of the parent key? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax
RE: [Declude.JunkMail] ORDB.Org Shutting Down
Thanks, Michael. That was a good tip. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Jaworski Sent: Monday, December 18, 2006 10:09 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] ORDB.Org Shutting Down Ordb.org is shutting down today. Time to review/edit config files. http://ordb.org/news/?id=38 Mike --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] WAY OT: Registry Repair
Andy, five will get you ten that it is the permissions that are mangled, not the key itself. Run RegEdit.exe and right-click on the Run key, then choose Permissions. Go into the Advanced button and choose to Inherit from parent... and the permissions should get fixed up. You should see: AllowUsers (local machine name) Read AllowPower Users (local machine name)Special AllowAdministrators (local machine name) Full Control AllowSYSTEM Full Control AllowCREATOR OWNER Full Control Aside from administrative error, the only times I've seen the permissions modified on this part of the registry is if the bad guys are trying to retain control of a 'bot. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, December 18, 2006 3:01 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] WAY OT: Registry Repair Hi, noticed today that HKLM\Software\Microsoft\Windows\CurrentVersion\Run no longer opens (while logged on as the workstation's admin). I can export the parent key - which will contain everything EXCEPT the run key. But, then I can neither delete or rename the run key. Renaming/deleting the parent will appear to work at first - until it reaches the Run subkey - then it will again report that it cannot access that key. So - I am suspecting that the Run key is corrupt. It can't be read, edited, deleted or renamed. I looked at some registry repair tools, but they all seem to be Registry Optimizing tools in disguise that fix logical problems in the registry (registries with too much or supposedly bad information). Does anyone know of a tool (for XP) that will allow me to eliminate this bad key from the registry index somehow so that I can just reimport the rest of the parent key? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Interesting Discussions
Great Scott!! ... Well with the clarity of 20/20 hindsight, I used mail-archive.com with the IMail forum to see what you guys have talked about so fondly. Ugh. I don't miss that noise at all. The interesting thing is, how many people in those threads are still around *here* today. Also, that somebody made a similar grab the popcorn comment a few years ago. La plus ca change, la plus c'est le meme chose! Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, December 15, 2006 3:58 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Interesting Discussions I actually miss the twice annual entertaining discussions on the Imail forum between Scott and Len with Sandy added for spice. It almost happened a couple weeks ago, on a BIND newsgroup, where I brought something up and Len jumped into the conversation. It was a moderated newsgroup, though, and everything after my first post never made it to the list (despite being completely benign at that point). They might have made it to the list a day or so later, or perhaps the moderators knew what was to come... -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Reporting Tool
The error means that the Perl interpreter thought that there was a
regular expression (hence, regex) at line 443 which had an unmatched
square bracket. I don't see anything wrong with the line 443 in Karl's
posting, nor do I see what should have been a regular expression, in
that line, which I see as:
if ( $DupeHolder =~ $sortedcleanedtests[$placecounter] ) {
I hope that helps the two of you get on the same page...
Andrew 8)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Lists - Declude JunkMail
Sent: Thursday, December 07, 2006 1:29 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New Reporting Tool
Thanks so much for this!
I tried it out and it errors out as follows:
File path : g:/logarchive/
Processing a single day
Opening File : g:/logarchive/dec1206.log
.
Sorting arrays and cleaning up data
Unmatched [ in regex; marked by -- HERE in m/[ -- HERE weight/
at f:\tools\dis
tro-declog.pl line 443.
My log is 20mb if that matters.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of IS - Systems Eng. (Karl Drugge)
Posted At: Thursday, December 07, 2006 1:53 PM
Posted To: Lists - Declude JunkMail
Conversation: New Reporting Tool
Subject: [Declude.JunkMail] New Reporting Tool
The newest PERL script. Slices, dices, etc ... Throw it in a
directory, edit a few environment variables at the top of the script,
dump in a few Declude logs, run it, enjoy. Requires PERL, of course.
Added two command line switches : 'day' and 'week' . Day does
the previous day, week does the previous week. No command line switch,
and you do all the logs in the directory. This can be memory
intensive... You have been warned ! My own server, with 11-13k log
files, consumes 700+ megs of memory when doing an entire month. Folks
with larger files might want to think about doing this many files at
once.
Karl Drugge
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] \spool\charset directory
Harry, check your global.cfg and see if you have a test with a COPYTO action that copies the email to that spool\charset folder when the test is triggered. Then comment out that test and action. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, December 12, 2006 2:39 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] \spool\charset directory The spool\charset directory is filling up with thousands of e-mails per day. Can that be stopped? while still keeping the bancharset command? Harry Vanderzand inTown Internet Computer Services 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamhaus
I just read that, too. I've commented out my NJABLPROXIES ip4r test in my global.cfg and noted that this is duplicated in my XBL test. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, November 15, 2006 5:06 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spamhaus FYI... from http://www.spamhaus.org/xbl/index.lasso Mail servers already using dnsbl.njabl.org are advised to continue doing so, as dnsbl.njabl.org is itself a composite list and contains more than the open proxy IPs list part now incorporated in XBL. So there is partial, but not complete, overlap between XBL and NJABL. Darin. - Original Message - From: Matt mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, November 15, 2006 7:27 PM Subject: Re: [Declude.JunkMail] Spamhaus You are correct. I clearly missed the change where they removed BLITZEDALL from distribution with the 127.0.0.6 result. That result is still listed on the main XBL page, but I didn't get a single hit for it today, so it clearly isn't working. NJABL has also been included now with 127.0.0.5 as you pointed out, so some may want to change in order to save a lookup on NJABL: SPAMHAUS ip4rsbl-xbl.spamhaus.org127.0.0.2 120 XBLip4rsbl-xbl.spamhaus.org127.0.0.4 60 NJABL ip4rsbl-xbl.spamhaus.org127.0.0.5 50 Matt Scott Fisher wrote: I don't use sbl-xbl or xbl, so I can't confirm this... but there website refers to a 127.0.0.5 for a NJABL and the 127.0.0.4 for CBL No mention of blitzedall anymore. http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20XBL What do the different return codes in the XBL mean? The return code (127.0.0.*) denotes the data source in the XBL (and also in the SBL-XBL combined zone) these are: Return Codes Data Source 127.0.0.4 CBL 127.0.0.5 NJABL - Original Message - From: Matt [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com mailto:declude.junkmail@declude.com Sent: Wednesday, November 15, 2006 4:34 PM Subject: Re: [Declude.JunkMail] Spamhaus This is how to do it properly. Declude will do the lookup once when configured like this. SPAMHAUSdnsbl %IP4R%.sbl-xbl.spamhaus.org127.0.0.2 120 XBLdnsbl%IP4R%.sbl-xbl.spamhaus.org 127.0.0.460 BLITZEDALL dnsbl %IP4R%.sbl-xbl.spamhaus.org127.0.0.65 0 Matt David Sullivan wrote: Hello Darin, Wednesday, November 15, 2006, 4:12:49 PM, you wrote: DC SBL ip4r sbl.spamhaus.org * 55 0 DC XBL ip4r xbl.spamhaus.org * 55 0 I was using 127.0.0.2 for SBL and 127.0.0.4 for XBL but Spamhaus lists .2-4 for SBL and .2-6 for XBL but I guess * would work for each and capture all return codes. Right? DC SBL-XBL ip4r sbl-xbl.spamhaus.org * 55 0 This doesn't discriminate between the two then, right? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL
RE: [Declude.JunkMail] Spamhaus
And if you're wondering where the BLITZED ip4r test went: http://wiki.blitzed.org/OPM_status Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, November 15, 2006 5:13 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Spamhaus I just read that, too. I've commented out my NJABLPROXIES ip4r test in my global.cfg and noted that this is duplicated in my XBL test. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, November 15, 2006 5:06 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spamhaus FYI... from http://www.spamhaus.org/xbl/index.lasso Mail servers already using dnsbl.njabl.org are advised to continue doing so, as dnsbl.njabl.org is itself a composite list and contains more than the open proxy IPs list part now incorporated in XBL. So there is partial, but not complete, overlap between XBL and NJABL. Darin. - Original Message - From: Matt mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, November 15, 2006 7:27 PM Subject: Re: [Declude.JunkMail] Spamhaus You are correct. I clearly missed the change where they removed BLITZEDALL from distribution with the 127.0.0.6 result. That result is still listed on the main XBL page, but I didn't get a single hit for it today, so it clearly isn't working. NJABL has also been included now with 127.0.0.5 as you pointed out, so some may want to change in order to save a lookup on NJABL: SPAMHAUS ip4rsbl-xbl.spamhaus.org 127.0.0.2 120 XBLip4rsbl-xbl.spamhaus.org 127.0.0.460 NJABL ip4rsbl-xbl.spamhaus.org 127.0.0.550 Matt Scott Fisher wrote: I don't use sbl-xbl or xbl, so I can't confirm this... but there website refers to a 127.0.0.5 for a NJABL and the 127.0.0.4 for CBL No mention of blitzedall anymore. http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20XBL What do the different return codes in the XBL mean? The return code (127.0.0.*) denotes the data source in the XBL (and also in the SBL-XBL combined zone) these are: Return Codes Data Source 127.0.0.4 CBL 127.0.0.5 NJABL - Original Message - From: Matt [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com mailto:declude.junkmail@declude.com Sent: Wednesday, November 15, 2006 4:34 PM Subject: Re: [Declude.JunkMail] Spamhaus This is how to do it properly. Declude will do the lookup once when configured like this. SPAMHAUSdnsbl %IP4R%.sbl-xbl.spamhaus.org127.0.0.2 120 XBLdnsbl %IP4R%.sbl-xbl.spamhaus.org127.0.0.460 BLITZEDALL dnsbl %IP4R%.sbl-xbl.spamhaus.org127.0.0.65 0 Matt David Sullivan wrote: Hello Darin, Wednesday, November 15, 2006, 4:12:49 PM, you wrote: DC SBL ip4r sbl.spamhaus.org * 55 0 DC XBL ip4r xbl.spamhaus.org * 55 0 I was using 127.0.0.2 for SBL and 127.0.0.4 for XBL but Spamhaus lists .2-4 for SBL and .2-6 for XBL but I guess * would work for each and capture all return codes. Right? DC SBL-XBL ip4r sbl-xbl.spamhaus.org * 55 0 This doesn't discriminate between the two then, right? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
RE: [Declude.JunkMail] Negative weight isn't working
Todd, do this from a command line: C:\Tempnslookup 66.187.204.25 Server: Andrew's.obfuscated.dns.server Address: 192.168.0.1 Name:treets100.ibsys.com Address: 66.187.204.25 C:\Temp That tells me that your REVDNS won't match, because their reverse DNS is *not* the same as the HELO value that you used for your REVDNS test. The same is also true for your use of the MAILFROM, which does not have to match the From: address you see in the header. Look at the X-Declude-Sender: line in the header that has been marked up. The MAILFROM was really [EMAIL PROTECTED]. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:44 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working OK, here is an update with the header of the particular message. Todd Received: from treetso101.mtc.ibsys.com [66.187.204.25] by mail.nnepa.com with ESMTP (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) From: KETV.com Newsroom [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 Subject: [21] KETV.com Noon Headlines To: [EMAIL PROTECTED] Content-type: text/html; charset=us-ascii X-RBL-Warning: MXRATE-ALLOW: GOOD SENDER X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has no MX or A records [0301]. X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test (line 55, weight 15) X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 76, weight 4) X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] X-Declude-Spoolname: D6ccc08932bf7.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.14 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [21] at 12:01:18 on 09 Nov 2006 X-Declude-Fail: MXRATE-ALLOW [-3], HELOBOGUS [5], FILTER-SPAM [15], GIBBERISH [4], WEIGHT10 [10], WEIGHT15 [15], WEIGHT19 [19], WEIGHT19a [19] X-Country-Chain: UNITED STATES-destination X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 463090338 X-IMail-ThreadID: 6ccc08932bf7 X-Antivirus: AVG for E-mail 7.5.431 [268.14.0/524] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 1:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an allowlist_med. Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54
RE: [Declude.JunkMail] Negative weight isn't working
No problem, Todd. To answer your question in the other thread, yes, more specific is more better. On the other hand, you also have to look at what you're really trying to counterweight. In this case, you could certainly counterweight both the REVDNS of their mailserver, and the particular MAILFROM email address too, but after visiting the site, I suspect that you really don't care about the MAILFROM. You can use the REVDNS -30 ENDSWITH .ibsys.com Just fine. If you do use a MAILFROM, don't use much weight, because viruses harvest all email addresses from the infectee and report them back to the virus writer or spammer, and that address becomes a spoofed MAILFROM later down the road. Viruses also spoof the HELO, so a: HELO -30 ENDSWITH comcast.com Or REVDNS -30 ENDSWITH .comcast.com Would be a bad thing to put in your counterweight file, because a virus is quite likely to come from a zombie on that network. What I'd suggest you do for ibsys.com is look at your FILTER-SPAM test and see why it gave 15 points to this email. You will likely get better mileage (i.e. spend less of your time on your counterweight file making exceptions for MTAs) by assigning only incremental points to text values in your filter files, don't look for the big win by blocking small text phrases or small bits of text in a URL. To go the extra mile (hey, a driving theme today [pun intended]) why not decide which IP4R tests you trust, and/or which external tests you trust, and cancel the dangerously punitive text files? At the top of your FILTER-SPAM test, you *could* put in: TESTSFAILED END CONTAINS MXRATE-ALLOW And then messages like this sample wouldn't have received any points from the FILTER-SPAM test, you would save CPU time on your server, save your user's time in figuring out that they didn't receive that inbound message, and save your time on finding the false positives and making counterweight entries. The downside of making a cancel line in your filter files is that MXRATE-ALLOW will trigger on, say, a well known ISPs' MTA, and you *want* to do content filtering on, say, scam text that is so common from HotMail, Yahoo!, and various international free webmail providers that you wouldn't otherwise hear about. Most Declude users end up with filter files that are focused on kinds of spam and tweak their cancel lines accordingly. There is a great deal of art to this science. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 12:42 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Thanks Andrew. I'm starting to catch on. The good news is that everyone else thinks I'm a miracle worker because of the drastic decrease in spam. One of these days I'll break down and tell them the truth. So if you all happen to start getting Thank You cards from people you don't know, that's probably why... Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, November 09, 2006 2:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, do this from a command line: C:\Tempnslookup 66.187.204.25 Server: Andrew's.obfuscated.dns.server Address: 192.168.0.1 Name:treets100.ibsys.com Address: 66.187.204.25 C:\Temp That tells me that your REVDNS won't match, because their reverse DNS is *not* the same as the HELO value that you used for your REVDNS test. The same is also true for your use of the MAILFROM, which does not have to match the From: address you see in the header. Look at the X-Declude-Sender: line in the header that has been marked up. The MAILFROM was really [EMAIL PROTECTED]. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:44 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working OK, here is an update with the header of the particular message. Todd Received: from treetso101.mtc.ibsys.com [66.187.204.25] by mail.nnepa.com with ESMTP (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) From: KETV.com Newsroom [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 Subject: [21] KETV.com Noon Headlines To: [EMAIL PROTECTED] Content-type: text/html; charset=us-ascii X-RBL-Warning: MXRATE-ALLOW: GOOD SENDER X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has no MX or A records [0301]. X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test (line 55, weight 15) X-RBL-Warning: GIBBERISH: Message failed GIBBERISH
RE: [Declude.JunkMail] whitelisting based on rev dns
Craig, I don't use any of the Declude WHITELIST features due to the potential for giving the sender carte blanche access; if a known good sender is sending crap, I still want to have a chance to block the crap. What I do is counterweight. I create a filter file called, say, CounterWeight.txt and in the global.cfg I give it zero weight for passing or failing. Inside the filter file, I put in lines like this: #Feb-01-2006 AC SurveyMonkey.com MAILFROM spoofs the email address of whomever is sending out the survey invitationsREMOTEIP -10 CIDR 66.179.50.160/27REVDNS -5 ENDSWITH .surveymonkey.com My preference is to use REMOTEIP tests, then REVDNS, then HELO, then HEADERS, then MAILFROM for reliablityand antispoofedness. Likewise, they get decending amounts of negative weight. Another tip: I put a test at the top of my CounterWeight file(s) that aborts processing if I don't want to reward a message with negative weight, such as if a prior filter test (according to the top-down order in global.cfg) of mine detected a known virus or junk email that I know I want to block regardless of whom it came from, e.g. TESTSFAILED END CONTAINS VIRUSBOUNCE TESTSFAILED END CONTAINS COMBOSNIFFER Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig EdmondsSent: Wednesday, November 08, 2006 10:25 AMTo: declude.junkmail@declude.comSubject: [Declude.JunkMail] whitelisting based on rev dnsImportance: HighSensitivity: Confidential How can I whitelist based on Reverse DNS? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.com ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] declude not modifying subject line
Me three! Is it done yet? No? Darn. Frankly, David, if the Declude app is going to have to rewrite the whole message anyway to insert headers, make it an optional *feature* to fix up the line terminators. Then market it as a unique feature; I understand that Venture Capitalists love their startups to have innovative features that differentiate their product in the marketplace. Meanwhile, just fix the Declude app so that inserts the header correctly as befits our reasonable expectations as set by all the other products in the marketplace. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, November 08, 2006 10:41 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] declude not modifying subject line Agreed. Put the headers where they need to be. Don't worry about fixing the message. Having this additional test could be worthwhile as well, to identify and report on mailers that are broken in this fashion. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, November 08, 2006 12:03 PM Subject: RE: [Declude.JunkMail] declude not modifying subject line Hi Dave: 1. This is currently being worked on, there are several other things that need to be taken into account when doing this, for example if Declude has to rewrite all me messages in order to correct this problem there will be a hit on performance. We are also looking at some other alternatives. Any suggestions are welcome. Although I know this had been suggested - I personally don't feel that Declude needs (or even SHOULD) rewrite the message. If the message is readable by Imail, Outlook, etc. - then the sender is in luck. If not, then the fact that other software can't read the message will motivate the sender to use RFC compliant formatting. I feel all that's necessary is that Declude's end-of-line parsing should be made intelligent enough so that it DOES detect various CR CR/LF LF LF/CR combinations and treat them as end-of-line, so that it can properly detect the intended last header. This way, Declude can: A) append it's own header at the proper location (not append it below the message body.) B) determining where the message content starts (so that the content can be properly scanned for Viruses) I get the feeling this issue of end-of-line detection is being made overly complicated. Declude is not a message-fixer-upper. I have enough problems with people using CISCO SMTP FIXUP that breaks everything. Declude's job is to correctly determine the header vs. content and then subject the header and content to appropriate analysis. If a message is found to be malformed, then Declude can make it fail a Test so that the mail admin can decide to accept or reject those messages - but it's not Declude's job to artificially make an incompatible message compatible with email clients. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, November 08, 2006 11:38 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] declude not modifying subject line Herb, 1. This is currently being worked on, there are several other things that need to be taken into account when doing this, for example if Declude has to rewrite all me messages in order to correct this problem there will be a hit on performance. We are also looking at some other alternatives. Any suggestions are welcome. 2. This is not as simple as having these type of messages fail a test as there are too many variables in play wrt line terminators. 3. In your \Declude folder there should be a \Resources folder which has the latest config files. David B -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Herb Guenther Sent: Wednesday, November 08, 2006 11:22 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] declude not modifying subject line Hi David; In an earlier message (below) you mentioned that you were working on adding the ability to handle these malformed messages. A couple questions. 1. When will this happen as it has been a problem for quite a while now? 2. The messages themselves are not failing any of the tests that I am using. Shouldn't we at least be able to have them fail a test and then take an action based on that? Also, I want to make sure that all of my config files are correct, and that I do not have any depreciated tests in them. When I go to the online manuals on your site, the links to the tests are broken, and I cannot find samples of the config files. Can you tell me where they are, and
RE: [Declude.JunkMail] Weighting based on some Imail Tests...?
The traditional answer on this is that IMail does not mark up the header until after Declude returns control of the message to it, so therefore, Declude can not leverage any of the tests that IMail does. That does not stop you from using any of the IMail features though if you want to think of them as separate layers. I'd suggest that the blacklist tests at least are best run in Declude only. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, November 08, 2006 11:10 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Weighting based on some Imail Tests...? Jim, It depends on the Imail test -Some are processed before Declude. I am not exactly sure which ones run before Declude as I do not use any of the Imail tests. Processing Order for IMail Both IMail and Declude have a number of different tests that they run on email. The order used is as follows: 1.. IMail's Control Access file (to block IPs) 2.. IMail's Kill List (to block return addresses) 3.. IMail v8 anti-spam (most tests) 4.. Declude Virus 5.. Declude Hijack 6.. Declude JunkMail 7.. IMail's filters and extra IMail v8 anti-spam tests Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Jim Comerford [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, November 08, 2006 1:10 PM Subject: [Declude.JunkMail] Weighting based on some Imail Tests...? I'm relatively new to Declude, but have been using Imail and many of its test for quite a while. I'm curious if it is possible to use some of imail's antispam tests (specifically Baysean filter, and url-blacklist) to add weight to declude tests. We have had great results with these two tests and if they were in the weighting systen I think it would help. I'm not sure which part of imail's tests get run before control is passed to declude, but it seems if these are, declude shouldbe able to use them in the weighting system... Is anyone doing anything like this? Or and I off base and duplicating something that declude already offers...? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] whitelisting based on rev dns
In the header of the message, look at the last IP address in square brackets, this is the IP address of the sending email server. The text just before it is the HELO sent by it, and is often unreliable with legitimate mail, and practically a work of fiction with spam.To get the REVDNS that you can put in your filter files, go to a command prompt and use the name server lookup program with the IP address as the only parameter, e.g.C:\Tempnslookup 63.246.31.248Server: myinternal.DNS.serverAddress: 192.168.0.1Name: smtp.declude.comAddress: 63.246.31.248C:\TempSome admins don't mind the extra overhead, and use the XINHEADERand/or XOUTHEADER feature in their global.cfg to insertvarious lines into the header of every message that contain Declude variables like REVDNS. One common thing that comes up when doing this is that if you use the ALLRECIPS to document in the header who all the recipients are, you've just "blown the cover" on someone who sent a legitimate email with a BCC list of recipients in your domain(s). Don't do that. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Todd Richards Sent: Wednesday, November 08, 2006 1:13 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] whitelisting based on rev dns Is the Reverse DNS in the headers anywhere? I've just been going out to DNSReports.com and pulling it for the ones I want to add. Easier way? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg Evanitsky Sent: Wednesday, November 08, 2006 12:56 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] whitelisting based on rev dns Importance: High On Nov 8, 2006, at 1:24 PM, Craig Edmonds wrote: How can I whitelist based on Reverse DNS? Create a filter with lines like REVDNS xxx ENDSWITH .abcdefghi.com where xxx is weight to apply. Xxx could be a very high number to cause the message to be deleted or it could be a negative number. In my revdns spam filter I also have the following lines at the top to save processor usage SKIPIFWEIGHT xx STOPATFIRSTHIT If the message's weight already exceeds xx the filter will be skipped. Later, Greg --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Adding custom header line
Markus, I believe that the XINHEADER and XOUTHEADER directives in the global.cfg are what you're looking for. They can be used to create an arbitrary header and populate it with any exposed Declude variables, e.g.: #XINHEADER X-Note: This E-mail was sent from %REVDNS% ([%REMOTEIP%]). #XOUTHEADER Organization: Your Name Here Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, November 02, 2006 3:10 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Adding custom header line Following to the manual there is one action to add a line to the message header: WARN The HEADER-Action does not add it to the message header but to the head of the body. But the WARN-Action is limited as it does add a fixed line X-RBL-Warning: (description) What if I want to add a custom line to the message header if a certain weight was reached? For example: X-Spam-Flag: YES ...so that mailservers and email-clients behind declude could use their own filters based on this header line. I have one possible new customer who already has filters for such a message header and want to switch to our spam filters. But for this we need such custom message header lines. Does I miss here something or is it true that there is no way to do this with current declude versions? Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Adding custom header line
Oops, sorry, I jumped the gun and gave the wrong answer. What I meant to say was that the %TESTSFAILED% variable could be used with either XINTHEADER/XOUTHEADER and the client would have to parse the whole line for, say, a traditional WEIGHT20 entry. If there's a way to create an arbitrary entry based on a weight or a test status, I'd like to hear about it too. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, November 02, 2006 3:10 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Adding custom header line Following to the manual there is one action to add a line to the message header: WARN The HEADER-Action does not add it to the message header but to the head of the body. But the WARN-Action is limited as it does add a fixed line X-RBL-Warning: (description) What if I want to add a custom line to the message header if a certain weight was reached? For example: X-Spam-Flag: YES ...so that mailservers and email-clients behind declude could use their own filters based on this header line. I have one possible new customer who already has filters for such a message header and want to switch to our spam filters. But for this we need such custom message header lines. Does I miss here something or is it true that there is no way to do this with current declude versions? Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] all_list.dat is outdated
DB 1. The all_list.dat is not updated every release. DB 2. The latest all_list.dat is posted on the My Account page 6 July 06 Worse, David, is that the then-current all_list.dat is not packaged with the release. When Declude v3.13 was packaged, it included builds of decludeproc.exe dated Oct-21-2006, at that time the current all_list.dat was Jul-06-2006 but the package includes an older version dated Mar-29-2006. Why include an old data file in a current release? I'm not suggesting that you update the all_list.dat for every release, but rather, I suggest that youincludethe currentversion of all_list.dat! Furthermore, I will also suggest that put out a regular release cycle for all_list.dat because ARIN assignments by nature are dynamic. Is there a releasecycle? It seems to me that it only gets updated when there is enough public complaint about it here on the list, and that you specifically, David Barker, chooses to make it a priority. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David BarkerSent: Wednesday, October 25, 2006 2:02 PMTo: declude.junkmail@declude.comSubject: RE: [Declude.JunkMail] all_list.dat is outdated 1. The all_list.dat is not updated every release. 2. The latest all_list.dat is posted on the My Account page 6 July 06 David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Wednesday, October 25, 2006 4:55 PMTo: declude.junkmail@declude.comSubject: [Declude.JunkMail] all_list.dat is outdated The version in the customer login area is out of date, and the one inside the "current" Declude installer is 3 months further out of date, even though the installer is newer than the all_list.dat ... Andrew. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
[Declude.JunkMail] all_list.dat is outdated
The version in the customer login area is out of date, and the one inside the "current" Declude installer is 3 months further out of date, even though the installer is newer than the all_list.dat ... Andrew. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
[Declude.JunkMail] Microsoft takes a (third?) stab at promoting SenderID
http://www.microsoft.com/presspass/press/2006/oct06/10-23OSPSenderIDPR.m spx Andrew. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: imail q files magically dissapearing
I've noticed the same thing in all versions of Ipswitch IMail Server; the cause was broken connections, 99% of which were spam. Only in the absolute latest, v9.10 from Sep-06-2006, have I noticed that IMail cleans up after itself. There is an item about this in the latest release notes. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig EdmondsSent: Monday, October 23, 2006 3:13 PMTo: declude.junkmail@declude.comSubject: [Declude.JunkMail] OT: imail q files magically dissapearingImportance: HighSensitivity: Confidential On one of my imail servers, my spool folder is slowly filling up with D files. I am using fpreview to view the files in the spool and there are currently 180 or so emails. when i try to "return to queue" I get an error saying that the q file could not be found, whch isa bit strange becasue many many of the emails are local to the server. When I look in the /spool there is a not a single q file anywhere. Any ideas whats happening? Has sniffer or declude gone nuts? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.com . ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Whitelisting flaw in Declude?
Yeah, what Matt said. Message splitting before junkmail filtering would bepunishing for CPU time and somewhat more for disk time; message splitting for the sake of whitelisting (or alternate actions)after junkmail filtering would be an incremental cost. And message splitting before junkmail filtering on a system that has a wildcard email address would be lethal for that system. Andrew. p.s. In my corporate network, we email each other a lot, and we see that Exchange "single instance storage" of a message only saves us 20% of the disk space. And that includes single storage of a message in my Sent Items as well as in my neighbour's Inbox and the next guy's Deleted Items. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, October 18, 2006 8:20 PMTo: declude.junkmail@declude.comSubject: Re: [Declude.JunkMail] Whitelisting flaw in Declude? I have some stats here that suggest otherwise. We only have 5% more recipients than messages that make it through our gateway, and we only return permanent errors presently for mail bombing related activities. This however is a dedicated gateway and not a hosted mail server, so stats from a hosted mail server would see a slightly higher rate since most multiple-recipient E-mails are internal to a server. If you are splitting on a gateway and not splitting internal E-mail, you should see no increase beyond my numbers.It's a doable solution if one has the need.MattJay Sudowski - Handy Networks LLC wrote: Also, realize that on servers processing a large volume of messages per day, the additional IO necessary to create duplicate messages and header files for each specific recipient would be a death sentence... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Barker Sent: Wednesday, October 18, 2006 9:30 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? To create a duplicate message for each recipient is not a trivial issue. This is a function of the mail server not Declude. David Barker Director of Product Development Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kevin Bilbee Sent: Tuesday, October 17, 2006 5:08 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? Delcude has always functioned like this. What declude could do in this case is to duplicate the message for each recipient and write a new header file to each recipient. Not a big issue. Deliver to the one that whitelists and run the spam checks for the others. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin Cox Sent: Tuesday, October 17, 2006 12:37 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude? It's actually more of an issue of how the mail server handles the message. In the case of multiple recipients, since there is only one message file addressed to multiple recipients in the headers, it's either deliver or not deliver unless you rewrite the headers to modify the recipient list. I think I'd rather not have the spam filtering system alter that. Add to the header, yes. Alter the recipients, no. Also, I have not come across a situation where I wanted to let a message go through to one recipient and not to others, except in the situation of lists which is a whole other topic. Darin. - Original Message - From: "Dave Beckstrom" [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, October 17, 2006 3:11 PM Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? I would call that a flaw, then, in how Declude processes the whitelist. I have a listserver email address for which I do not want email spam checked. This is because I don't want messages going out to the list that say SPAM in the subject line. Because nobody who is not a member on the list can post to the list, there is no problem whitelisting the "TO" address for mail sent to the list server email address. However, spammers will send an email to a dozen of our mail addresses (12 recipients) one of which is the whitelised "TO" address for the listserver. Because of the way Declude processes the whitelist, that means that the other 11 recipient receive the spam even though mail to them is not whitelisted. That is a bad design on Declude's part, wouldn't you agree? Anyone else feel that this needs to be rectified? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, October 17, 2006 11:25 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail]
RE: [Declude.JunkMail] anyone know what ssdmbs.exe is?
Hey, Craig. Did you resolve this, and what was the outcome? Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, September 26, 2006 8:46 AMTo: declude.junkmail@declude.comSubject: RE: [Declude.JunkMail] anyone know what ssdmbs.exe is?Sensitivity: Confidential Never heard of ssdmbs.exe ... Search your filesystem for the file and see if the location or right-clicking on it gives you any insight. I like to use Process Explorer from sysinternals.com for stuff like this.It's like Task Manager but has all the features you wished it had, like right-clicking on the executable, getting properties and seeing the full path to that executable. I also like their Auto Run to tell me the start location of all the executables (like Startup, autoexec, HKLM...Run and far more). Of course their Rootkit Explorer is also good; I always find false positives in their "heuristic" type of tests like small differences in memory size allocations. RegMon and FileMon are invaluable for ferreting out what an executable is doing right now. All of these tools are free from SysInternals.com (soon to be free downloads from Microsoft.com) Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig EdmondsSent: Tuesday, September 26, 2006 5:20 AMTo: declude.junkmail@declude.comSubject: [Declude.JunkMail] anyone know what ssdmbs.exe is?Importance: HighSensitivity: Confidential I have a process in my server taking up 80% cpu and its called ssdmbs.exe. Is this something to do with declude? I cant seem to end the process either, its says Access Denied. Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED] ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Disk pattern 0xDF in files - Microsoft confirms KB920958 bug!
Microsoft re-released MS06-049 outside of their regular patch cycle, along with a patch to the VML/vgx.dll issue. http://www.microsoft.com/technet/security/Bulletin/MS06-049.mspx Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, September 18, 2006 9:33 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Disk pattern 0xDF in files - Microsoft confirms KB920958 bug! And it made its appearance over at the SANS Internet Storm Center handler's log: http://isc.sans.org/diary.php?storyid=1711 In short, Microsoft has admitted that there is a problem and updated their advisory and also provided a hotfix. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Tuesday, September 12, 2006 7:16 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Disk pattern 0xDF in files - Microsoft confirms KB920958 bug! Andy, Not sure if you saw it but this issue was brought up on Slashdot yesterday, so it got some exposure. Heimir Andy Schmidt wrote: Hi, I finally was able to get a confirmation from Microsoft Support yesterday afternoon (case: SRZ060911001854) We are aware the issue you are experiencing. A corresponding bugcheck request is currently open, and the develop team is working on this issue. However, the hotfix for this issue is not ready. 0xDF is the data pattern that NTFS returns when it has problem to decompress the file (eg. the compression fragments are corrupted and can't be decompressed). Based on my research, the actual raw data on the disk is not changed, it shows as 0xDF because the system cannot decompress the file and display the data correctly. So the corrupt is not permanent. Further more, the issue only occurs on files which containing Hexadecimal codes. Apparently, Microsoft decided not to warn people about this problem - no comment has been added to KF920958 warning people which system configurations will cause data loss (who cares if it's not permanent if you can't use your data for a few months). Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Thursday, August 24, 2006 03:21 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Disk pattern 0xDF in files - KB920958 may be bad! Answers below. Andy Schmidt wrote: Hi Heimir: I've been running a number of tests, am in contact with a third Microsoft customer and some pattern seems to emerge. I also have a lead to a questionable Hotfix, but I'm trying to qualify that first. Can we first compare your systems to see what's the same (and may be relevant) and what's different: A) Disks are defined as dynamic Dynamic B) Disks are software mirrored using Win2k Disk Administration no C) The folders with the problem files have the compression attribute set! yes. D) Did the problem occur at some point after KB920958 was installed? yes, I think so. E) Do the corrupted files have a content of all 0xDF (it looks a little like an uppercase B, the German special s, or like the Beta character) Yes F) Does it appear as if only NEW files are effected? no, old files as well. BUT I think defrag ran this weekend and that would have moved some files - if that matters. G) Does it appear as if only files are effected that are close to a multiple of 4K? Yes. I broke the mirrors on my effected two servers and ran ChkDsk /F. On one server, ONE disk ChkDsk reported errors (including the files that I knew were corrupted) - virtually all of them were image file types. I reran the ChkDsk and it did NOT find errors. I then tried the second disk of the mirror and it found no errors at all. I then restablished the mirrors and my client continues to have problems with new files. On the second server, I broke the mirror, again, the ChcDsk /F repaired a long list of errors. I did NOT reestablish the mirror and did not put that disk back in service. Please contribute to the thread in the Microsoft newsgroup: http://www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us / defaul t.mspx?dg=microsoft.public.win2000.file_systemmid=d826afe9-2ab1-4b2f - ae11-c c27702f574a Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206
RE: [Declude.JunkMail] anyone know what ssdmbs.exe is?
Never heard of ssdmbs.exe ... Search your filesystem for the file and see if the location or right-clicking on it gives you any insight. I like to use Process Explorer from sysinternals.com for stuff like this.It's like Task Manager but has all the features you wished it had, like right-clicking on the executable, getting properties and seeing the full path to that executable. I also like their Auto Run to tell me the start location of all the executables (like Startup, autoexec, HKLM...Run and far more). Of course their Rootkit Explorer is also good; I always find false positives in their "heuristic" type of tests like small differences in memory size allocations. RegMon and FileMon are invaluable for ferreting out what an executable is doing right now. All of these tools are free from SysInternals.com (soon to be free downloads from Microsoft.com) Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig EdmondsSent: Tuesday, September 26, 2006 5:20 AMTo: declude.junkmail@declude.comSubject: [Declude.JunkMail] anyone know what ssdmbs.exe is?Importance: HighSensitivity: Confidential I have a process in my server taking up 80% cpu and its called ssdmbs.exe. Is this something to do with declude? I cant seem to end the process either, its says Access Denied. Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED] ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
