RE: [Declude.JunkMail] whitelist and mult rcpt
YES. This would solve the problem we are having (although not perhaps everyone's problems g). None of these messsages were only to the postmaster. They all came either with two names in the TO line or with a CC that included the postmaster. Karen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Madscientist Sent: Thursday, May 29, 2003 8:49 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] whitelist and mult rcpt In the interim, a less complex method might be to have a setting which will ignore a white list entry for an address if more than one recipient is specified. This might take the form of a special kind of whitelist entry. Most valid messages to postmaster, for example, only have postmaster as the recipient. I know this would be less complicated than splitting up the messages. I wonder if there is a clean way to intercept message retreival or final delivery (better) with a program like a second pass of Declude or another utility like Message Sniffer. I'm not close enough to the guts of IMail to know if this is practical, but it might significantly simplify this problem. Any ideas Scott? _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED] Behalf Of Karen Oland ]Sent: Thursday, May 29, 2003 12:57 AM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] whitelist and mult rcpt ] ] ]We've been getting a lot of spam in the last week or so that ]bypasses all ]our spam filters -- they are all copied to the postmaster@ ]account for our ]domain. Apparently, they are taking advantage of the common ]practice of ]whitelisting the postmaster and the inability of spam ]filtering programs to ]separate actions on messages sent to multiple users. No ]doubt, it won't be ]long before most messages do the same, rendering both your postmaster ]account and spam filters useless. ] ]I know it has been asked for before and said to be ]impossible (programmer ]speak, for don't want to do it -- I know, being one), but ]PLEASE consider ]creating multiple copies of messages that arrive for multiple ]recipients, so ]that the spam filters can operate (yes, this means some ]complications, but a ]little trickery could reduce problems -- for example, only ]making a copy for ]the recipient(s) that are whitelisted). ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] whitelist and mult rcpt
From: R. Scott Perry Perhaps the reason spam is so widespread now is because people aren't bothering to listen to the abuse complaints. :) True. Oddly, we get ZERO emails sent to abuse (other than a flurry of virus attempts a while back). But, postmaster has become one of the most popular email accounts here, along with two business email lists (for sales, etc) that have been grabbed off a company web page (since no-one here can send from those group addresses). Karen --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] imail spam....
some addressed changed to protect the innnocent some addressed changed to protect the innnocent Received: : from newman.ipswitch.com [156.21.1.4] by domain.com with ESMTP (SMTPD32-7.15) id AF85B3800F8; Thu, 29 May 2003 13:12:37 -0400 Received: from CAMPAIGN [156.21.1.4] by newman.ipswitch.com (SMTPD32-8.00) id AED75303016C; Thu, 29 May 2003 13:09:43 -0400 From: Ipswitch, Inc. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: IMail Server Training Date: THU, 29 MAY 2003 13:09:43 -0400 Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Message-Id: [EMAIL PROTECTED] X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?156.21.1.4 X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e]. X-Declude-Sender: [EMAIL PROTECTED] [156.21.1.4] X-Declude-Spoolname: D3f850b3800f81a4f.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Declude: Version 1.69i18; D3f850b3800f81a4f.SMD X-Declude: Failed SPAMCOP, SPAMHEADERS, NOLEGITCONTENT, WEIGHTSCAN [15] X-Note: This E-mail was sent from cs.ipswitch.com ([156.21.1.4]). X-Countries: UNITED STATES-destination Return-Path: [EMAIL PROTECTED] X-Note: - Total spam weight of this E-mail is 15. X-Spam-Prob: 0.925289 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] whitelist and mult rcpt
We've been getting a lot of spam in the last week or so that bypasses all our spam filters -- they are all copied to the postmaster@ account for our domain. Apparently, they are taking advantage of the common practice of whitelisting the postmaster and the inability of spam filtering programs to separate actions on messages sent to multiple users. No doubt, it won't be long before most messages do the same, rendering both your postmaster account and spam filters useless. I know it has been asked for before and said to be impossible (programmer speak, for don't want to do it -- I know, being one), but PLEASE consider creating multiple copies of messages that arrive for multiple recipients, so that the spam filters can operate (yes, this means some complications, but a little trickery could reduce problems -- for example, only making a copy for the recipient(s) that are whitelisted). --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: DSN:Re: Re[2]: [Declude.JunkMail] A Question of Ethics
In a corporate setting a company may or may not have an Internet/email/conduct policy. If not, it may be very dificult to fire someone for conduct that they didn't agree to abide by and if it came to a lawsuit they would probably loose. In fact, in TN, a long-haul trucker won a worker's comp lawsuit against his employer for injuries suffered while having sex in his cab, driving down the road and he was hit by a train (the female passenger, having no seat belt and not being seated in a passenger seat anyway, was thrown from the truck and killed). The first court ruled against the trucker (holding the belief that such behavior was outside the bounds of reasonable on-the-job behavior and as such, not a compensible accident). Higher courts ruled for the trucker - there was no written policy prohibiting such behavior and this person was used to doing this on a routine basis while performing his job (doesn't this make you feel safe, driving the freeway when it is full of trucks?). So, yes, without a written policy prohibiting certain behavior, you will probably lose in a suit. However, in any case, using porn email as proof of violating a written policy would probably also result in losing such a suit -- all it would take is having one person on a jury that has an email account of their own -- eventually, everyone gets porn email, it seems, and once on the list, the amount seems to keep adding up (we even get it on email accounts that were set up as a mailing list for internal distribution, that have never sent any emails out to the world). And much porn email can look as though it was asked for, substituting first names (gathered using many techniques) into long messages, using subject lines that look as tho you asked for the information (lures to get the email opened), etc. A better use of Declude would be to offer porn filtering (delete on detection) and spam forwarding (for retrieval of misclassified messages when necessary). Better proof would be simply browsing someones workstation and web surfing history (few delete such things and one of the worst cases I ever worked on was an attorney several years back that had installed compression onto his drives in order to make room for all the pornographic games, pictures, movies that had been downloaded and stored all over his official company computer). K. Oland --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] EXE files, again!
Unfortunately, failure to run AV programs at the client side (as well as at the mail server) has crippled the legitimate sending of .EXE files through email (which we commonly used to do -- our users are unsophisticated and have trouble extracting updates out of their email if zipped first). We violate absolutely zero licenses in our distributions (licensed zip program for creating self-extracting emails). Instead, we have to resort to posting the exe, sending out an email, then walking the user through the download and execution on the phone (sure, we had to talk to them before, but AFTER they downloaded the EXE across their crappy dial-up connection). Trying to explain ZIP files -- forget it, you have to walk them through finding a freeware ZIP program, installing it, possibly rebooting, then unzipping the download and extracting it -- this is why we started using EXE files long ago. I guess the next step in the progress of email is we'll go back to mailing out diskettes (which had the benefit of not having to explain that the EXE and the unzipped files did not BOTH fit on a diskette). Set up an area that your old lady customer can upload her cute EXE files (or document how to use one of the free sites) and set up clear documentation that any 50 year old can follow (not that a kid can follow) on how to link the file in an email. Explain the benefit of not worrying if the receiver's mailbox is full or having to wait when sending the cute file to all her friends for it to be uploaded once per receiver. K Oland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sheldon Koehler Sent: Wednesday, January 08, 2003 11:44 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] EXE files, again! Anyone have good links? From http://www.sophos.com/virusinfo/whitepapers/prevention.html From http://www.sophos.com/virusinfo/articles/safehex.html Thanks Bill. I plan on making another web page to go along with this one: http://www.tenforward.com/support/viruspage.php Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Help
The test appears to be set up correctly. I checked my declude log - there are entries for the spamtext.txt file (which contains the below) triggering on line 12 (one line below this particular block) and entries for the base64 test being triggered. I pulled a random message out of my delete box that should have been flagged and checked the headers. This is what I got: Received: from mx3.finehost.net [66.205.220.31] by staffingtech.com (SMTPD32-7.13) id AB80F410120; Wed, 16 Oct 2002 01:39:12 -0400 X-Priority: 3 Return-Path: [EMAIL PROTECTED] From: Cash Online [EMAIL PROTECTED] To: [EMAIL PROTECTED] Received: from mx3.finehost.net by 2ER93A05EK4L1M.mx3.finehost.net with SMTP for [EMAIL PROTECTED]; Tue, 15 Oct 2002 13:40:42 -0500 Date: Tue, 15 Oct 2002 13:40:42 -0500 Subject: Get up to $500 today! Message-Id: 5CU72GH.BCTT9X79.Cash Online [EMAIL PROTECTED] X-Mailer: YDH_optin_v1.2 X-Encoding: MIME MIME-Version: 1.0 X-MSMail-Priority: Normal Content-Type: multipart/alternative; boundary==_NextPart_24_30472442 X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?66.205.220.31 X-Declude-Sender: [EMAIL PROTECTED] [66.205.220.31] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SPAMCOP X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 300488074 So, the message does not appear to be base64. It does contain some html code, but in the clear portion at the bottom, there is the usual unsubscribe junk: While visiting a partner website, you opted-in to receive special online offers. To end your membership, click reply and send this email or click http://66.163.246.29/unsubscribe.php?[EMAIL PROTECTED] This is the same as what appears if you open the message (which also then displays their ad in living color). This is the entry in the global.cfg: SPAMTEXTfilter c:\imail\declude\spamtext.txt x 0 0 and the entry for the above msg and one that did fail the spamtext rule in the declog: 10/16/2002 01:39:16 Qfb800f410120c136 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?66.205.220.31). 10/16/2002 14:27:18 Qaf8311c10120f2ab Msg failed SPAMTEXT (Message failed SPAMTEXT test (12)). I also cut and pasted the raw html sourc into a program to count characters -- a total of 2438, including all spaces. Karen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Wednesday, October 16, 2002 2:26 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Filter Help I included the rules below, but they never seem to trigger: BODY 10 CONTAINS http://1 BODY 10 CONTAINS http://2 BODY 10 CONTAINS http://3 BODY 10 CONTAINS http://4 BODY 10 CONTAINS http://5 BODY 10 CONTAINS http://6 BODY 10 CONTAINS http://7 BODY 10 CONTAINS http://8 BODY 10 CONTAINS http://9 BODY 10 CONTAINS http://0 Are you sure that the filter is set up properly (are other filters working properly)? That's the most likely problem. The other possibility would be if the E-mail is base64 encoded, in which case filtering won't work (but the E-mail will fail the BASE64 test). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Help
Yes, we know. that is why we wanted to use a weighted rule in Declude, rather than an absolute rule in IMAIL. The problem with specific addresses (and we have a few (ok, a lot) of those, is that the spammers simply move every so often, but we keep blocking the old IP addresses forever. And they can get new addresses faster than we can add them to the list. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Madscientist Sent: Wednesday, October 16, 2002 2:55 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Filter Help An Asside - Watch out for false positives with this one. We tried a rule that captured all numeric-only web links as they are a favorite for porn spammers and mortgage folks. Unfortunately we discovered that a number of legitimate news services also do this sometimes so we were forced to begin entering specific numbered web links. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Help
ARRGGHHH spaces after the 6!!! and the same on all but one of the rules. All found and fixed (and several more rules later on with spaces. (but, yes, there was an http://6 in the raw source). Thanks for the help, Karen -Original Message- From:R. Scott Perry I also cut and pasted the raw html sourc into a program to count characters -- a total of 2438, including all spaces. Did you check the raw HTML source to see if it had http://6; in it? Are there any spaces after the http://6; in the c:\imail\declude\spamtext.txt file (which would require the space(s) in the E-mail)? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Help
Also, filters only work with the Pro version of Declude, I believe. -Original Message- From: R. Scott Perry ... that I could do a filter to block all messages using that opt-in statement by: 1. putting While visiting a partner website, you opted-in to receive special online offers. in a text file called optin.txt It would need to be set up as a filter, using a line such as BODY 10 CONTAINS While visiting a partner website, you opted-in to receive special online offers., rather than just the text by itself. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.