Re: [Declude.JunkMail] anyone know how to stop this?
On 8 Nov 2004 at 14:31, Scott Fisher wrote: Scott, If you have the horsepower to spare... Use ClamAv and Turn PreScan off with Declude Virus Pro. 131 Phish detections this month through yesterday (33271 total e-mails). Neat. I was unaware that the virus programs also did some content filtering If you still want to burn even more horsepower up. I have an anti-phish filter that uses lots of body searches posted in the multiline filter part of my Declude website: http://it.farmprogress.com/declude/declude.htm Good stuff - -Nick - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 1:46 PM Subject: [Declude.JunkMail] anyone know how to stop this? A single .gif with the standard phish. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this?
I implemented Scott Fishers spamdomains filters yesterday afternoon and caught all the paypal mydoom variants with the SD-PHISH filter Thanks Scott! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Nick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 09, 2004 10:15 AM Subject: Re: [Declude.JunkMail] anyone know how to stop this? On 8 Nov 2004 at 14:31, Scott Fisher wrote: Scott, If you have the horsepower to spare... Use ClamAv and Turn PreScan off with Declude Virus Pro. 131 Phish detections this month through yesterday (33271 total e-mails). Neat. I was unaware that the virus programs also did some content filtering If you still want to burn even more horsepower up. I have an anti-phish filter that uses lots of body searches posted in the multiline filter part of my Declude website: http://it.farmprogress.com/declude/declude.htm Good stuff - -Nick - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 1:46 PM Subject: [Declude.JunkMail] anyone know how to stop this? A single .gif with the standard phish. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this? topic change
On 8 Nov 2004 at 13:08, Bill Landry wrote: Bill, A little SpamAssassin help please - It does, but it can also be used with Declude as an RHSBL now: MAILPOLICE-FRAUDfraud.rhs.mailpolice.com 127.0.0.230 to see if I have this correct for SA 3x In my local.cf urirhsbl URIBL_MP fraud.rhs.mailpolice.com. A # A reecord lookup header URIBL_MP eval:check_uridnsbl('URIBL_MP') describe URIBL_MP Contains a URL listed in the MP SURBL blocklist tflags URIBL_MP net score URIBL_MP 2.0 #value returned to SA I can use and RHSBL I like - correct? Thanks! -Nick Bill - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 12:54 PM Subject: Re: [Declude.JunkMail] anyone know how to stop this? I think fraud.rhs.mailpolice.com would also work with the SURBL. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 2:42 PM Subject: RE: [Declude.JunkMail] anyone know how to stop this? And if you *really* have horsepower to spare (and some of your own time), implement Sandy's spamc to hook into a SpamAssassin daemon and run SURBL. Me, I'm waiting for SURBL support in Declude, as the Outblaze and Phishing URI tests in the multi.surbl.org cover a lot of fresh phishing domains. Andrew 8) -Original Message- From: Scott Fisher [mailto:[EMAIL PROTECTED] Sent: Monday, November 08, 2004 12:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] anyone know how to stop this? If you have the horsepower to spare... Use ClamAv and Turn PreScan off with Declude Virus Pro. 131 Phish detections this month through yesterday (33271 total e-mails). You are going to be scanning a lot lot more stuff. But not too many phish are going to get through. ClamAv seems to be going after the phish pretty well. If you still want to burn even more horsepower up. I have an anti-phish filter that uses lots of body searches posted in the multiline filter part of my Declude website: http://it.farmprogress.com/declude/declude.htm - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 1:46 PM Subject: [Declude.JunkMail] anyone know how to stop this? A single .gif with the standard phish. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this? topic change
- Original Message - From: Nick [EMAIL PROTECTED] A little SpamAssassin help please - It does, but it can also be used with Declude as an RHSBL now: MAILPOLICE-FRAUDfraud.rhs.mailpolice.com 127.0.0.230 to see if I have this correct for SA 3x In my local.cf urirhsbl URIBL_MP fraud.rhs.mailpolice.com. A # A reecord lookup header URIBL_MP eval:check_uridnsbl('URIBL_MP') describe URIBL_MP Contains a URL listed in the MP SURBL blocklist tflags URIBL_MP net score URIBL_MP 2.0 #value returned to SA I can use and RHSBL I like - correct? Not quite. Here's a sample of how to setup URIRHSBL support in SA: urirhsbl URIBL_MP_RHSBL block.rhs.mailpolice.com. A body URIBL_MP_RHSBL eval:check_uridnsbl('URIBL_MP_RHSBL') describe URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL blocklist tflagsURIBL_MP_RHSBL net score URIBL_MP_RHSBL 2.0 This is for the MailPolice block list, which also incorporate the fraud list. If you want to use fraud only, change the hostname above from block to fraud. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this? topic change
I should have clarified, the example I give below is for SA 3.0.1, since they changed the action from header to the more appropriate body setting between SA 3.0.0 3.0.1. So, you have it correct if you are using anything before 3.0.1. Bill - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 09, 2004 11:12 AM Subject: Re: [Declude.JunkMail] anyone know how to stop this? topic change - Original Message - From: Nick [EMAIL PROTECTED] A little SpamAssassin help please - It does, but it can also be used with Declude as an RHSBL now: MAILPOLICE-FRAUDfraud.rhs.mailpolice.com 127.0.0.230 to see if I have this correct for SA 3x In my local.cf urirhsbl URIBL_MP fraud.rhs.mailpolice.com. A # A reecord lookup header URIBL_MP eval:check_uridnsbl('URIBL_MP') describe URIBL_MP Contains a URL listed in the MP SURBL blocklist tflags URIBL_MP net score URIBL_MP 2.0 #value returned to SA I can use and RHSBL I like - correct? Not quite. Here's a sample of how to setup URIRHSBL support in SA: urirhsbl URIBL_MP_RHSBL block.rhs.mailpolice.com. A body URIBL_MP_RHSBL eval:check_uridnsbl('URIBL_MP_RHSBL') describe URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL blocklist tflagsURIBL_MP_RHSBL net score URIBL_MP_RHSBL 2.0 This is for the MailPolice block list, which also incorporate the fraud list. If you want to use fraud only, change the hostname above from block to fraud. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this? topic change
On 9 Nov 2004 at 11:27, Bill Landry wrote: Thanks!! Bill [I do have 3.0.1] -Nick I should have clarified, the example I give below is for SA 3.0.1, since they changed the action from header to the more appropriate body setting between SA 3.0.0 3.0.1. So, you have it correct if you are using anything before 3.0.1. Bill - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 09, 2004 11:12 AM Subject: Re: [Declude.JunkMail] anyone know how to stop this? topic change - Original Message - From: Nick [EMAIL PROTECTED] A little SpamAssassin help please - It does, but it can also be used with Declude as an RHSBL now: MAILPOLICE-FRAUDfraud.rhs.mailpolice.com 127.0.0.23 0 to see if I have this correct for SA 3x In my local.cf urirhsbl URIBL_MP fraud.rhs.mailpolice.com. A # A reecord lookup header URIBL_MP eval:check_uridnsbl('URIBL_MP') describe URIBL_MP Contains a URL listed in the MP SURBL blocklist tflags URIBL_MP net score URIBL_MP 2.0 #value returned to SA I can use and RHSBL I like - correct? Not quite. Here's a sample of how to setup URIRHSBL support in SA: urirhsbl URIBL_MP_RHSBL block.rhs.mailpolice.com. A body URIBL_MP_RHSBL eval:check_uridnsbl('URIBL_MP_RHSBL') describe URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL blocklist tflagsURIBL_MP_RHSBL net score URIBL_MP_RHSBL 2.0 This is for the MailPolice block list, which also incorporate the fraud list. If you want to use fraud only, change the hostname above from block to fraud. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this?
You could block with a body filter on the URL. Darin. - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 2:46 PM Subject: [Declude.JunkMail] anyone know how to stop this? A single .gif with the standard phish. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this?
If you have the horsepower to spare... Use ClamAv and Turn PreScan off with Declude Virus Pro. 131 Phish detections this month through yesterday (33271 total e-mails). You are going to be scanning a lot lot more stuff. But not too many phish are going to get through. ClamAv seems to be going after the phish pretty well. If you still want to burn even more horsepower up. I have an anti-phish filter that uses lots of body searches posted in the multiline filter part of my Declude website: http://it.farmprogress.com/declude/declude.htm - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 1:46 PM Subject: [Declude.JunkMail] anyone know how to stop this? A single .gif with the standard phish. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] anyone know how to stop this?
I've been trapping them with the various suntrust strings in the subject line. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, November 08, 2004 3:00 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] anyone know how to stop this? You could block with a body filter on the URL. Darin. - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 2:46 PM Subject: [Declude.JunkMail] anyone know how to stop this? A single .gif with the standard phish. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] anyone know how to stop this?
And if you *really* have horsepower to spare (and some of your own time), implement Sandy's spamc to hook into a SpamAssassin daemon and run SURBL. Me, I'm waiting for SURBL support in Declude, as the Outblaze and Phishing URI tests in the multi.surbl.org cover a lot of fresh phishing domains. Andrew 8) -Original Message- From: Scott Fisher [mailto:[EMAIL PROTECTED] Sent: Monday, November 08, 2004 12:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] anyone know how to stop this? If you have the horsepower to spare... Use ClamAv and Turn PreScan off with Declude Virus Pro. 131 Phish detections this month through yesterday (33271 total e-mails). You are going to be scanning a lot lot more stuff. But not too many phish are going to get through. ClamAv seems to be going after the phish pretty well. If you still want to burn even more horsepower up. I have an anti-phish filter that uses lots of body searches posted in the multiline filter part of my Declude website: http://it.farmprogress.com/declude/declude.htm - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 1:46 PM Subject: [Declude.JunkMail] anyone know how to stop this? A single .gif with the standard phish. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this?
I think fraud.rhs.mailpolice.com would also work with the SURBL. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 2:42 PM Subject: RE: [Declude.JunkMail] anyone know how to stop this? And if you *really* have horsepower to spare (and some of your own time), implement Sandy's spamc to hook into a SpamAssassin daemon and run SURBL. Me, I'm waiting for SURBL support in Declude, as the Outblaze and Phishing URI tests in the multi.surbl.org cover a lot of fresh phishing domains. Andrew 8) -Original Message- From: Scott Fisher [mailto:[EMAIL PROTECTED] Sent: Monday, November 08, 2004 12:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] anyone know how to stop this? If you have the horsepower to spare... Use ClamAv and Turn PreScan off with Declude Virus Pro. 131 Phish detections this month through yesterday (33271 total e-mails). You are going to be scanning a lot lot more stuff. But not too many phish are going to get through. ClamAv seems to be going after the phish pretty well. If you still want to burn even more horsepower up. I have an anti-phish filter that uses lots of body searches posted in the multiline filter part of my Declude website: http://it.farmprogress.com/declude/declude.htm - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 1:46 PM Subject: [Declude.JunkMail] anyone know how to stop this? A single .gif with the standard phish. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this?
It does, but it can also be used with Declude as an RHSBL now: MAILPOLICE-FRAUDfraud.rhs.mailpolice.com 127.0.0.230 Bill - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 12:54 PM Subject: Re: [Declude.JunkMail] anyone know how to stop this? I think fraud.rhs.mailpolice.com would also work with the SURBL. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 2:42 PM Subject: RE: [Declude.JunkMail] anyone know how to stop this? And if you *really* have horsepower to spare (and some of your own time), implement Sandy's spamc to hook into a SpamAssassin daemon and run SURBL. Me, I'm waiting for SURBL support in Declude, as the Outblaze and Phishing URI tests in the multi.surbl.org cover a lot of fresh phishing domains. Andrew 8) -Original Message- From: Scott Fisher [mailto:[EMAIL PROTECTED] Sent: Monday, November 08, 2004 12:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] anyone know how to stop this? If you have the horsepower to spare... Use ClamAv and Turn PreScan off with Declude Virus Pro. 131 Phish detections this month through yesterday (33271 total e-mails). You are going to be scanning a lot lot more stuff. But not too many phish are going to get through. ClamAv seems to be going after the phish pretty well. If you still want to burn even more horsepower up. I have an anti-phish filter that uses lots of body searches posted in the multiline filter part of my Declude website: http://it.farmprogress.com/declude/declude.htm - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 1:46 PM Subject: [Declude.JunkMail] anyone know how to stop this? A single .gif with the standard phish. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.