RE: [Declude.JunkMail] OBFUSCATION filter
Ahh. Understood. I got confused by our rules where we code for a single instance restricted to the URL. (Can't do that without wildcards). All good then. Great work! _M |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Matthew Bramble |Sent: Monday, September 15, 2003 12:40 PM |To: [EMAIL PROTECTED] |Subject: Re: [Declude.JunkMail] OBFUSCATION filter | | |Pete, | |It's not redundant because the two by themselves only check |for strings |of two, while the combination checks for strings with one of each in |succession. This way, if they go back and forth between the two, it |will get caught as long as there is a . or @ between them, or as |long as it is URL encoding followed by HTML encoding. I left out the |other way around because it was only a two character string, ;% and |wanted to protect from FP's. | |I do appreciate the feedback though...I do of course make mistakes. | |Matt | |Pete McNeil wrote: | | Matt, | | It appears that your coding for a combination of http url encoding | in urls is redundant since you capture both types |individually. It's a | small optimization, but worth mentioning. | | _M | | At 07:46 PM 9/14/2003 -0400, you wrote: | | I've posted a newer version of the OBFUSCATION filter on my site. | This contains the removal of the attachment thing and also the | removal of 6 (of over 100) tests in order to be more |forgiving, sans | the PayPal issue. | | |http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003 | c.txt | | | If you find any false positives with this besides the Ticketmaster | one that I've already counterbalanced, please let me know. I would | imagine that posting to this group would be better than PM's unless | others mind having discussion here. That way everyone would know | about any issues ASAP. | | Thanks, | | Matt | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bogus comments
Not quite right. Normal HTML does often contain comments, usually generated automatically as a deubgging aid for the developer. Normal HTML does not usually contain comments that break up words like fr !-- catch me if you can -- ee (note that I added a space after fr and before ee to be sure Message Sniffer filters wouldn't catch this accidentally. _M |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |interactiveaustria |Sent: Friday, September 12, 2003 1:14 AM |To: [EMAIL PROTECTED] |Subject: [Declude.JunkMail] Bogus comments | | |Hi, | |is there a possibility to test for (bogus) comments with |Declude.Junkmail (I'm using the lite version)? Something like | |V!-- hfa --I!-- kfk --A!-- sak --G!-- jkd --R!-- hdg --A | |Anyway, a normal HTML Mail should not contain any comments |at all (is that right?), so that could be a 100% indicator for spam. | |Best wishes |Michael | |+--+ || interactiveaustria | || Michael Tobisch EDV-Dienstleistungen | || Wiesengasse 12, A-8160 Weiz | || Tel +43 3172 4930| || GSM +43 664 2126941 | || EMail [EMAIL PROTECTED]| || Web http://www.iaa.at| |+--+ || Kundeninformationen per E-Mail: | || http://www.iaa.at/kundeninfo.asp | |+--+ | | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] scrambled url in source of e-mail
Title: Message For one thing this is a great way to filter spam. There is no good reason to encode part of a url, or for that matter to encode "normal" characters. So, anything with %30%37.biz is _ALMOST_ certain to be spam. We have been testing a number of rules like this already with great results. I see no reason that rules like this can't be made in IMail or Declude directly since they tend to be very simple and short. Hope this helps, _M Chief Sortmonster (www.sortmonster.com) "The more they rethink the plumbing, the easier it is to stop up the works - Scotty" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Thursday, September 04, 2003 9:33 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] scrambled url in source of e-mail How does one deal with scrambles source in the e-mail. For example I find the following address: www.%3982%30%37.biz I like to us the address in my filter file but am not sure if the scrambled form will work as I assume there must be a translation going on when this code gets processed thanks Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W.Kitchener, ONN2M 1L2 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark SmithSent: Thursday, September 04, 2003 8:43 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Placing Weight in Header Duuuh.. Why didn't I think of that. FWIW, if you just put Weight: %WEIGHT% in the header then you might be breaking RFC's. There should be an X- before your "Weight"linewhich will denote a comment line. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GlobalWeb.net WebmasterSent: Thursday, September 04, 2003 8:25 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Placing Weight in Header we use , in our global.cfg file, XINHEADERWeight: %WEIGHT% so you could out in yours: XINHEADERX-DECLDUE-WEIGHT:%WEIGHT% Sincerely,Randy ArmbrechtGlobal Web Solutions, Inc.804-346-5300 ext. 1877-800-GLOBAL (4562) ext. 1http://globalweb.net -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark SmithSent: Thursday, September 04, 2003 7:39 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Placing Weight in Header Is there any way to place the total weight in the SMTP header? Something like: X-DECLUDE-WEIGHT: yyy
RE: [Declude.JunkMail] More and more email getting past Declude
They're not getting past everything - we show a rejection rate of greater than 75% almost consistently... not to say that the problem isn't getting worse though. http://www.sortmonster.com/MessageSniffer/Performance/FlowRates.jsp We have seen a significant and apparently consistent rise in the rate of new spam since about a week ago - conciding with the closure of Osirusoft... probably largely a matter of more reports rather than simply more spam - but significant none the less. http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp _M -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 9:21 AM To: Declude JunkMail (E-mail) Subject: [Declude.JunkMail] More and more email getting past Declude Is it just me or have spammers found other ways to get past scanners? I've been getting slammed lately with more and more spam that is getting past declude without a single hit. Greg Foulks NewFound Technologies, Inc. [EMAIL PROTECTED] http://www.nfti.com 614.318.5036 attachment: winmail.dat
RE: [Declude.JunkMail] OT: Declude notification and SoBig assault.
Message Sniffer has rules in place for this (about 30+ of them). We've also lifted the delay restriction on the demo license temporarily so that ANYONE can get this protection by running the demo license (sniffer2.snf) with Declude Junkmail. BE SURE TO DOWNLOAD THE LATEST VERSION OF THE RULEBASE - http://www.sortmonster.com/MessageSniffer/Try-It.html I am about to take off the group differentiation temporarily so that Declude can be set up to test for the specific rule group result for malware under the demo license. (We will keep the restrictions off of the demo license (sniffer2.snf) until the biggest problems with Sobig are over.) That result code for the malware rule group is: 55. USE CAUTION! We _think_ we've got good filters in place for all variants of sobig.f, however we have seen minor changes showing up and nothing is perfect. We do seem to be catching almost all of it though... Hope this helps, _M |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of junk mail |Sent: Friday, August 22, 2003 12:48 PM |To: [EMAIL PROTECTED] |Subject: Re: [Declude.JunkMail] OT: Declude notification and |SoBig assault. | | |We are only running Declude JunkMail is anyone setting up any |rules to filter out the SoBig virus other than using Declud |virus software. | |Thanks, |Dom | | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: RE : [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?
Please forward a copy of the newsletter to me ([EMAIL PROTECTED]) as an attachment and I will adjust the rule base (if appropriate). This is a service we provide by default to each subscriber, but we also - in general - code the core rule base to avoid false positives whenever we hear about them and the choice is widely applicable. Your assistance is greatly appreciated. Thanks, _M |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |[EMAIL PROTECTED] |Sent: Thursday, August 21, 2003 7:38 AM |To: [EMAIL PROTECTED] |Subject: RE : [Declude.JunkMail] Alligate vs. Message |Sniffer...opinions? | | |Hi, | |Message sniffer is not so bad as I tested it but have a big |problem with News letter it has a bif False positive rate with them. | |Regards |Mehdi Blagui | |-Message d'origine- |De : [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] De la part de |Matthew Bramble Envoyé : jeudi 21 août 2003 03:32 À : |[EMAIL PROTECTED] Objet : Re: [Declude.JunkMail] |Alligate vs. Message Sniffer...opinions? | | |John, | |I just joined the list today, but I found your configuration file from |back in June and it was very helpful in understanding how to fine tune |Alligate. I'm going to study it's logs more closely before I |start that | |phase though, looking for false positives. I've turned that test down |to 3/10 of failure and reduced several other tests by 1/10 to 2/10 of |failure in order to accommodate it (BADHEADERS for instance). |It seems |to get most of it's scoring from technical-type stuff instead of the |heuristics, and if this is the case, I don't think that a scaled test |would be that much more useful to me. If I could score the |content and |obfuscation, and just those things, I wouldn't be double counting the |technicals, and that should reduce some false positives. | |I don't want to knock Alligate, it has some nice functionality, |especially when used without Declude (auto whitelisting and digest |notification), and it does what it says, but it has a relatively high |false positive rate in the default configuration and therefore |it can't |be scored higher than it is on my scale. If they could get the auto |whitelisting and digest notification to work with Declude, that might |make me a buyer. I'm still looking for more information on Message |Sniffer within this context. | |I've looked at AutoWhite and will probably give it a try, but I can't |find any information on Match. Would you care to share a link? | |Thanks, | |Matt | | | | |John Tolmachoff (Lists) wrote: | |As one of the earlier testers and helped develop the variable |scale of |Alligate, I can understand your position. I have a client that gets a |lot of |e-mail from the Far East and a lot of bcc broadcasts and |lists. Many of |these show elements of spam, but are legit. That is what |makes it hard. | |There are a number of adjustments available in Alligate. You |might want |to |look over my config file I posted earlier today. | |One thing I do for this specific issue is I use 2 programs. One is |Match, |which is very simple but does need to be revised. The other is |AutoWhite. A |30 demo of AutoWhite is available at |www.eservicesforyou.com/products/autowhite.html. Match is free. | |While everyone can have a unique setup, please let me know if |you would |like |to spend some time going over the possible configurations in Alligate. | |John Tolmachoff MCSE CSSA |Engineer/Consultant |eServices For You |www.eservicesforyou.com | | | | | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.