RE: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection
Wouldn't Whitelist Auth stop JMPro from testing outgoing mail? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Robertson Sent: Thursday, November 20, 2003 10:36 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection John wrote: The problem with body filters is the big performance hit the server takes in high volumes setups. Comments? Or big filters. As an experiment I took the Imail domain blacklist (17000 entries) and turned it into a mongo BODY CONTAINS filter file. It worked magnificently. The flow of spam was choked almost to death. So was the server. Despite a strong dual-proc box with gobs of memory and moderate mail flow, I had to shut it off after 24 hours. The system was able to handle it until I had a client send out a big mailer of a few thousand individual mailpieces to their membership. Declude spawned a boatload of processes as it scanned all the outgoing mail and gagged the system. If there was a way for JMPro to NOT test outgoing mail that would be great. Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection
Marc Catuogno wrote: Wouldn't Whitelist Auth stop JMPro from testing outgoing mail? Unless I'm mistaken, whitelisting makes something automatically pass all tests. It doesn't prevent the tests from being run. Besides, the mailing is being generated by ColdFusion 4.5, which doesn't support SMTP AUTH. I have to allow the unauthenticated mail to come in via a whitelisted IP in Imail. Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection scam detection
Marc Catuogno wrote: Wouldn't Whitelist Auth stop JMPro from testing outgoing mail? Unless I'm mistaken, whitelisting makes something automatically pass all tests. It doesn't prevent the tests from being run. Actually, with the latest beta and IMail v8, you can use PREWHITELIST ON and WHITELIST AUTH, which will prevent the tests from being run on authenticated E-mail. Besides, the mailing is being generated by ColdFusion 4.5, which doesn't support SMTP AUTH. I have to allow the unauthenticated mail to come in via a whitelisted IP in Imail. However, in this case, it wouldn't work with WHITELIST AUTH. If you could use WHITELIST FROM or WHITELIST IP, though, along with PREWHITELIST ON, it would bypass the scanning. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection scam detection scam detection scam detection
Is 176i26 considered beta or do I need the file that -diag as 176b? At 12:10 PM 11/21/2003, Scott wrote: Actually, with the latest beta and IMail v8, you can use PREWHITELIST ON and WHITELIST AUTH, which will prevent the tests from being run on authenticated E-mail. -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection scam detection scam detection scam detection scam detection scam detection scam detection scam detection
Any version with an i in it is an interim release (pre-beta or alpha, as they are sometimes called). The i indicates that it was released after the beta/release in the number. For example, if a release or beta is v8.99, and you have 8.99i1, it is an interim release that came out after 8.99. -Scott At 01:48 PM 11/21/2003, Burzin Sumariwalla wrote: Is 176i26 considered beta or do I need the file that -diag as 176b? At 12:10 PM 11/21/2003, Scott wrote: Actually, with the latest beta and IMail v8, you can use PREWHITELIST ON and WHITELIST AUTH, which will prevent the tests from being run on authenticated E-mail. -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection
Great job Matt - again! One question though - should there be an ANTI-IPLINKED file? You mention one in your notes but I did not see one in the archive. -Nick -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 20 Nov 2003 19:43:42 -0500 Considering Kami's latest find and the general need to protect our customers from this type of thing which is even worse than a virus to the unknown, I have packed up two filters that I have been testing out for a while with very good results. These things target eBay, PayPal and credit card fraud very effectively. These filters are definitely of the 'must have' variety (Declude JunkMail Pro required). @LINKED searches for either; a character followed by @ followed by a www. a TLD followed by a @, or a @ followed by an IP address. It will score 3 points for the first combination and a 8 points for the second and third types of combinations (this is conservative scoring based on a fail weight of 10). Note that it can increment a score with successive hits for the ladder two combinations, I haven't had time to separate this stuff out into multiple files for a configuration with less chance of causing problems (though this is fairly well foolproof as is with no problems noticed yet, but it will happen eventually, MAXPOINTS would fix the issue when it comes). IPLINKED searches for either http://; followed by an IP address. This is recommended only at a score of 3 because it could compound with FP issues from the above filter, and it will have issues with Web hosters and designers passing around pre-DNS enabled links. I've seen a few legit automated mailers hit on this due to the designer missing a link update from development, or maybe they just made quick use of a particular server for some reason. It's very useful and highly indicative of spam of course. I don't have pages for them up yet, so instead they will appear linked on my site from the main Declude Filters page until I get around to putting something up. MailPure :: Filter Software :: Declude Filters http://www.mailpure.com/software/decludefilters/ Enjoy as always, Matt -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection detection
Nick, I didn't update the notes when I moved a group of entries from that file to the other, and when I move those things, it eliminated the need for the ANTI-IPLINKED filter. There are FP's possible with IPLINKED, but there is no way to counterbalance them in a generic manner, and they should be quite rare (less than 1 in 1000). I'll comment these up better sometime soon. It would be nice to know if the Lite versions are causing any issues, because if they aren't, I might throw out the regular versions in favor of them. Matt nick wrote: Great job Matt - again! One question though - should there be an ANTI-IPLINKED file? You mention one in your notes but I did not see one in the archive. -Nick -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 20 Nov 2003 19:43:42 -0500 Considering Kami's latest find and the general need to protect our customers from this type of thing which is even worse than a virus to the unknown, I have packed up two filters that I have been testing out for a while with very good results. These things target eBay, PayPal and credit card fraud very effectively. These filters are definitely of the 'must have' variety (Declude JunkMail Pro required). @LINKED searches for either; a character followed by @ followed by a www. a TLD followed by a @, or a @ followed by an IP address. It will score 3 points for the first combination and a 8 points for the second and third types of combinations (this is conservative scoring based on a fail weight of 10). Note that it can increment a score with successive hits for the ladder two combinations, I haven't had time to separate this stuff out into multiple files for a configuration with less chance of causing problems (though this is fairly well foolproof as is with no problems noticed yet, but it will happen eventually, MAXPOINTS would fix the issue when it comes). IPLINKED searches for either http://; followed by an IP address. This is recommended only at a score of 3 because it could compound with FP issues from the above filter, and it will have issues with Web hosters and designers passing around pre-DNS enabled links. I've seen a few legit automated mailers hit on this due to the designer missing a link update from development, or maybe they just made quick use of a particular server for some reason. It's very useful and highly indicative of spam of course. I don't have pages for them up yet, so instead they will appear linked on my site from the main Declude Filters page until I get around to putting something up. MailPure :: Filter Software :: Declude Filters http://www.mailpure.com/software/decludefilters/ Enjoy as always, Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection
The problem with body filters is the big performance hit the server takes in high volumes setups. Comments? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Thursday, November 20, 2003 4:44 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection Considering Kami's latest find and the general need to protect our customers from this type of thing which is even worse than a virus to the unknown, I have packed up two filters that I have been testing out for a while with very good results. These things target eBay, PayPal and credit card fraud very effectively. These filters are definitely of the 'must have' variety (Declude JunkMail Pro required). @LINKED searches for either; a character followed by @ followed by a www. a TLD followed by a @, or a @ followed by an IP address. It will score 3 points for the first combination and a 8 points for the second and third types of combinations (this is conservative scoring based on a fail weight of 10). Note that it can increment a score with successive hits for the ladder two combinations, I haven't had time to separate this stuff out into multiple files for a configuration with less chance of causing problems (though this is fairly well foolproof as is with no problems noticed yet, but it will happen eventually, MAXPOINTS would fix the issue when it comes). IPLINKED searches for either http://; followed by an IP address. This is recommended only at a score of 3 because it could compound with FP issues from the above filter, and it will have issues with Web hosters and designers passing around pre-DNS enabled links. I've seen a few legit automated mailers hit on this due to the designer missing a link update from development, or maybe they just made quick use of a particular server for some reason. It's very useful and highly indicative of spam of course. I don't have pages for them up yet, so instead they will appear linked on my site from the main Declude Filters page until I get around to putting something up. MailPure :: Filter Software :: Declude Filters http://www.mailpure.com/software/decludefilters/ Enjoy as always, Matt -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection
Yep, I try to use them very sparingly, myself. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 20, 2003 6:16 PM Subject: RE: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection The problem with body filters is the big performance hit the server takes in high volumes setups. Comments? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Thursday, November 20, 2003 4:44 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection Considering Kami's latest find and the general need to protect our customers from this type of thing which is even worse than a virus to the unknown, I have packed up two filters that I have been testing out for a while with very good results. These things target eBay, PayPal and credit card fraud very effectively. These filters are definitely of the 'must have' variety (Declude JunkMail Pro required). @LINKED searches for either; a character followed by @ followed by a www. a TLD followed by a @, or a @ followed by an IP address. It will score 3 points for the first combination and a 8 points for the second and third types of combinations (this is conservative scoring based on a fail weight of 10). Note that it can increment a score with successive hits for the ladder two combinations, I haven't had time to separate this stuff out into multiple files for a configuration with less chance of causing problems (though this is fairly well foolproof as is with no problems noticed yet, but it will happen eventually, MAXPOINTS would fix the issue when it comes). IPLINKED searches for either http://; followed by an IP address. This is recommended only at a score of 3 because it could compound with FP issues from the above filter, and it will have issues with Web hosters and designers passing around pre-DNS enabled links. I've seen a few legit automated mailers hit on this due to the designer missing a link update from development, or maybe they just made quick use of a particular server for some reason. It's very useful and highly indicative of spam of course. I don't have pages for them up yet, so instead they will appear linked on my site from the main Declude Filters page until I get around to putting something up. MailPure :: Filter Software :: Declude Filters http://www.mailpure.com/software/decludefilters/ Enjoy as always, Matt -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. .com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection detection
To save on processing, you can do the following: @LINKED - Chop out the ccTLD's and only leave the gTLD's (over 200 lines saved). Also, you can also shorten all of the IP w/@ strings to just two numbers (10 through 99, be sure to include 10 and remove the dots) which would save another 150 lines or so. That would leave this filter with less than 150 BODY strings instead of over 500. It would be a little more prone to FP when you shorten the number strings I would thing, but I haven't tested that. IPLINKED - Shorten all of the IP w/@ strings to just to numbers (10 through 99, be sure to include 10 and remove the dots) which would save about 150 lines and make the file only about 100 BODY strings instead of about 250 in original format. Same issues with FP's as before as it can pick up domain names that begin with two numbers. Both modifications should save you about 2/3 of the processing required of the full files and only moderately impact their capabilities. Matt John Tolmachoff (Lists) wrote: The problem with body filters is the big performance hit the server takes in high volumes setups. Comments? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Thursday, November 20, 2003 4:44 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection Considering Kami's latest find and the general need to protect our customers from this type of thing which is even worse than a virus to the unknown, I have packed up two filters that I have been testing out for a while with very good results. These things target eBay, PayPal and credit card fraud very effectively. These filters are definitely of the 'must have' variety (Declude JunkMail Pro required). @LINKED searches for either; a character followed by @ followed by a www. a TLD followed by a @, or a @ followed by an IP address. It will score 3 points for the first combination and a 8 points for the second and third types of combinations (this is conservative scoring based on a fail weight of 10). Note that it can increment a score with successive hits for the ladder two combinations, I haven't had time to separate this stuff out into multiple files for a configuration with less chance of causing problems (though this is fairly well foolproof as is with no problems noticed yet, but it will happen eventually, MAXPOINTS would fix the issue when it comes). IPLINKED searches for either http://; followed by an IP address. This is recommended only at a score of 3 because it could compound with FP issues from the above filter, and it will have issues with Web hosters and designers passing around pre-DNS enabled links. I've seen a few legit automated mailers hit on this due to the designer missing a link update from development, or maybe they just made quick use of a particular server for some reason. It's very useful and highly indicative of spam of course. I don't have pages for them up yet, so instead they will appear linked on my site from the main Declude Filters page until I get around to putting something up. MailPure :: Filter Software :: Declude Filters http://www.mailpure.com/software/decludefilters/ Enjoy as always, Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam detection
John wrote: The problem with body filters is the big performance hit the server takes in high volumes setups. Comments? Or big filters. As an experiment I took the Imail domain blacklist (17000 entries) and turned it into a mongo BODY CONTAINS filter file. It worked magnificently. The flow of spam was choked almost to death. So was the server. Despite a strong dual-proc box with gobs of memory and moderate mail flow, I had to shut it off after 24 hours. The system was able to handle it until I had a client send out a big mailer of a few thousand individual mailpieces to their membership. Declude spawned a boatload of processes as it scanned all the outgoing mail and gagged the system. If there was a way for JMPro to NOT test outgoing mail that would be great. Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
