RE: [Declude.JunkMail] Good filter?
This problem was posted to the list a few weeks back. This regex seems to
work well for that. It is in the latest FILTER-SPAM.
(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40})
http://|www).+/.(com|info|net)/%5ba-f0-9%5d%7b30,40%7d)
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, October 18, 2010 9:29 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?
There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent. They all have a / followed by some kind of home-grown
obfuscation which his server recognizes:
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
Anyone come up with a clever filter for this?
Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains. Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
re: [Declude.JunkMail] Good filter?
Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Here is another one: gseo35.pennyonello.info/132694139742636427312a49fad18963925fb I've deleted all the previous and hopefully won't get any more after implmenting the filter David sent. I would still like to be able to block URIs by the DNS server or Registrar used. There may be some legitimate domains registered through domainsite.com but I've not seen any. _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Provided the prefix to these is either www or http:// the regex will trigger on these From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Hi David, I think it will FP though - Here is an example: http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120 ed17cc24cd3567fd4396424914.gif with some tweaking I think it could be very effective though We have been wacking the guy w/sniffer General and dnsbl tests. I cannot tell you which ones of the latter as they are not shown in my logs. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: David Barker dbar...@declude.com Sent: Monday, October 18, 2010 10:17 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Provided the prefix to these is either www or http:// the regex will trigger on these From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Does the source have a space or different character after the end of the
string ? we could look for a space. or a or
(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[]))
David
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 11:50 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
Hi David,
I think it will FP though -
Here is an example:
http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120
ed17cc24cd3567fd4396424914.gif
with some tweaking I think it could be very effective though
We have been wacking the guy w/sniffer General and dnsbl tests. I cannot
tell you which ones of the latter as they are not shown in my logs.
-Nick
MadRiverAccess.com|Skywaves.com Tech Support
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net
General and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm
_
From: David Barker dbar...@declude.com
Sent: Monday, October 18, 2010 10:17 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
Provided the prefix to these is either www or http:// the regex will trigger
on these
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, October 18, 2010 10:02 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1
cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
_
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Good filter?
Post a few of his/her base domains - just to be sure we will be taking about
the same guy..
Thanks
-Nick
MadRiverAccess.com|Skywaves.com Tech Support
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net
General and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm
_
From: Dave Beckstrom db...@atving.com
Sent: Monday, October 18, 2010 9:38 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?
There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent. They all have a / followed by some kind of home-grown
obfuscation which his server recognizes:
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
Anyone come up with a clever filter for this?
Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains. Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Would checking for the DOT, followed by one or more characters, at the end
of the long string serve to eliminate the false positives?
_
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, October 18, 2010 10:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
Does the source have a space or different character after the end of the
string ? we could look for a space. or a or
(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[]))
David
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 11:50 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
Hi David,
I think it will FP though -
Here is an example:
http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120
ed17cc24cd3567fd4396424914.gif
with some tweaking I think it could be very effective though
We have been wacking the guy w/sniffer General and dnsbl tests. I cannot
tell you which ones of the latter as they are not shown in my logs.
-Nick
MadRiverAccess.com|Skywaves.com Tech Support
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net
General and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm
_
From: David Barker dbar...@declude.com
Sent: Monday, October 18, 2010 10:17 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
Provided the prefix to these is either www or http:// the regex will trigger
on these
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, October 18, 2010 10:02 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1
cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
_
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Good filter?
Post a few of his/her base domains - just to be sure we will be taking about
the same guy..
Thanks
-Nick
MadRiverAccess.com|Skywaves.com Tech Support
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net
General and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm
_
From: Dave Beckstrom db...@atving.com
Sent: Monday, October 18, 2010 9:38 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?
There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent. They all have a / followed by some kind of home-grown
obfuscation which his server recognizes:
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
Anyone come up with a clever filter for this?
Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains. Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail
RE: [Declude.JunkMail] Good filter?
Dunno - I just grepped my logs to find the FP. You will have to get some
complete examples to test on. Maybe do a COPYTO on any emails that fail your
regex and then fine tune out the false positives.
-Nick
MadRiverAccess.com|Skywaves.com Tech Support
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net
General and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm
From: David Barker dbar...@declude.com
Sent: Monday, October 18, 2010 12:05 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
Does the source have a space or different character after the
end of the string ? we could look for a space. or a or
(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[]))
David
From: supp...@declude.com
[mailto:supp...@declude.com] On Behalf Of Nick Hayer
Sent: Monday, October 18, 2010 11:50 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
Hi
David,
I think it will FP though -
Here is an example:
http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120ed17cc24cd3567fd4396424914.gif
with some tweaking I think it could be very effective though
We have been wacking the guy w/sniffer General and dnsbl tests. I cannot
tell you which ones of the latter as they are not shown in my logs.
-Nick
MadRiverAccess.com|Skywaves.com
Tech Support
US/Canada
877-873-6482 or International +1-802-229-6574
Emergency
Support 24/7: supp...@skywaves.net
General
and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm
From: David
Barker dbar...@declude.com
Sent:
Monday, October 18, 2010 10:17 AM
To:
declude.junkmail@declude.com
Subject:
RE: [Declude.JunkMail] Good filter?
Provided the prefix to these is either www or http:// the regex
will trigger on these
From: supp...@declude.com
[mailto:supp...@declude.com] On
Behalf Of Dave Beckstrom
Sent:
Monday, October 18, 2010 10:02 AM
To: declude.junkmail@declude.com
Subject:
RE: [Declude.JunkMail] Good filter?
ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1
cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
From: supp...@declude.com
[mailto:supp...@declude.com] On
Behalf Of Nick Hayer
Sent:
Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject:
re: [Declude.JunkMail] Good filter?
Post a few of his/her base domains - just to
be sure we will be taking about the same guy..
Thanks
-Nick
MadRiverAccess.com|Skywaves.com
Tech Support
US/Canada
877-873-6482 or International +1-802-229-6574
Emergency
Support 24/7: supp...@skywaves.net
General
and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm
From: Dave
Beckstrom db...@atving.com
Sent:
Monday, October 18, 2010 9:38 AM
To:
declude.junkmail@declude.com
Subject:
[Declude.JunkMail] Good filter?
There is pervasive spammer who's uri pattern for the
linked spam site is pretty consistent. They all have a
/ followed by some kind of home-grown obfuscation
which his server recognizes:
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
Anyone come up with a clever filter for this?
Also, these spammers are using domainsite.com as their registrar
for their spamvertized domains. Has anyone worked on a solution where the
URI can be checked against the registrar and if its registered with
domainsite.com then weight can be added or it can be blocked?
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail
