RE: [Declude.JunkMail] Good filter?
This problem was posted to the list a few weeks back. This regex seems to work well for that. It is in the latest FILTER-SPAM. (?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}) http://|www).+/.(com|info|net)/%5ba-f0-9%5d%7b30,40%7d) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 9:29 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] Good filter?
Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Here is another one: gseo35.pennyonello.info/132694139742636427312a49fad18963925fb I've deleted all the previous and hopefully won't get any more after implmenting the filter David sent. I would still like to be able to block URIs by the DNS server or Registrar used. There may be some legitimate domains registered through domainsite.com but I've not seen any. _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Provided the prefix to these is either www or http:// the regex will trigger on these From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Hi David, I think it will FP though - Here is an example: http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120 ed17cc24cd3567fd4396424914.gif with some tweaking I think it could be very effective though We have been wacking the guy w/sniffer General and dnsbl tests. I cannot tell you which ones of the latter as they are not shown in my logs. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: David Barker dbar...@declude.com Sent: Monday, October 18, 2010 10:17 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Provided the prefix to these is either www or http:// the regex will trigger on these From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Does the source have a space or different character after the end of the string ? we could look for a space. or a or (?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[])) David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 11:50 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Hi David, I think it will FP though - Here is an example: http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120 ed17cc24cd3567fd4396424914.gif with some tweaking I think it could be very effective though We have been wacking the guy w/sniffer General and dnsbl tests. I cannot tell you which ones of the latter as they are not shown in my logs. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: David Barker dbar...@declude.com Sent: Monday, October 18, 2010 10:17 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Provided the prefix to these is either www or http:// the regex will trigger on these From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Would checking for the DOT, followed by one or more characters, at the end of the long string serve to eliminate the false positives? _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, October 18, 2010 10:57 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Does the source have a space or different character after the end of the string ? we could look for a space. or a or (?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[])) David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 11:50 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Hi David, I think it will FP though - Here is an example: http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120 ed17cc24cd3567fd4396424914.gif with some tweaking I think it could be very effective though We have been wacking the guy w/sniffer General and dnsbl tests. I cannot tell you which ones of the latter as they are not shown in my logs. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: David Barker dbar...@declude.com Sent: Monday, October 18, 2010 10:17 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Provided the prefix to these is either www or http:// the regex will trigger on these From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail
RE: [Declude.JunkMail] Good filter?
Dunno - I just grepped my logs to find the FP. You will have to get some complete examples to test on. Maybe do a COPYTO on any emails that fail your regex and then fine tune out the false positives. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: David Barker dbar...@declude.com Sent: Monday, October 18, 2010 12:05 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Does the source have a space or different character after the end of the string ? we could look for a space. or a or (?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[])) David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 11:50 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Hi David, I think it will FP though - Here is an example: http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120ed17cc24cd3567fd4396424914.gif with some tweaking I think it could be very effective though We have been wacking the guy w/sniffer General and dnsbl tests. I cannot tell you which ones of the latter as they are not shown in my logs. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: David Barker dbar...@declude.com Sent: Monday, October 18, 2010 10:17 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Provided the prefix to these is either www or http:// the regex will trigger on these From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail