Matt,
It appears that your coding for a combination of http url encoding in
urls is redundant since you capture both types individually. It's a small
optimization, but worth mentioning.
_M
At 07:46 PM 9/14/2003 -0400, you wrote:
I've posted a newer version of the OBFUSCATION filter on my
At 05:58 AM 9/15/2003 -0400, you wrote:
Matt,
It appears that your coding for a combination of http url encoding in
urls is redundant since you capture both types individually. It's a small
optimization, but worth mentioning.
_M
ooops.. Sorry, I meant html.
---
[This E-mail was scanned for
Hi Bill:
You are right... No disagreement here.
We had negative MAILFROM but it was being abused like crazy. We were
getting so much spam from faked addresses. We now have a negative list for
mailing lists and at times we see email coming through.
REVDNS whitelist has worked well and we have
I would like to see an updated list also.
Todd
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, September 13, 2003 3:56 PM
Subject: [Declude.JunkMail] SPAMDOMAINS
Any one have an updated list to share?
John Tolmachoff MCSE
That was me, and thank you for posting that!
Since someone asked about our whitelist- here it is (these
are the general
items - we have in this list some of our clients with screwed
up server
setups but are taken out in this list). This goes in the
Global.cfg file.
---
[This E-mail
Have you customized any registry settings for TCP/IP?
No. Haven't needed to.
with your DNS lookups. First, you should be downloading TXT records
from the RBL's instead of doing remote lookups. That should
save you a ton of resources.
We have a caching DNS server in front of Declude
Kami, I hope there are no spammers monitoring this list since now they know
how to easily spam your e-mail domains. It is never a good idea to share
your whitelists in a public forum.
Bill
- Original Message -
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday,
Sorry, my fault for asking.
Kami, I hope there are no spammers monitoring this list since
now they know
how to easily spam your e-mail domains. It is never a good
idea to share
your whitelists in a public forum.
---
[This E-mail was scanned for viruses by Declude Virus
But, Kami just listed the revdns whitelists, wouldn't the spammer have to
have a RDNS listing of something in her whitelist (not likely) to take
advantage of the listing?
Jason
- Original Message -
From: Keith Anderson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, September 15,
Bill is right..
As a general rule it is not a good idea to post whitelists on a list.
REVDNS faking is not as easy as faking return email.. But as was discussed a
long time ago it is still possible. Scott had a lengthy posting regarding
this indicating the difficulties but yet again it is
I don't see WHITELIST REVDNS ... in the instructions anywhere. What is
this doing exactly, and what are the other WHITELIST options?
Thanks
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
Yes, but since I run my own name servers, I could easily setup the IP
address of my mail server to respond to a reverse query with one of the
domains listed in his whitelist. Granted, RDNS is more difficult to forge
then say HELO or MAILFROM, but is still fairly trivial if you run your own
name
Keith,
Monday, September 15, 2003 you wrote:
KA I don't see WHITELIST REVDNS ... in the instructions anywhere. What is
KA this doing exactly, and what are the other WHITELIST options?
see http://www.declude.com/relnotes.htm
1.66 [Beta, 17 Jan 2003]
Terry Fritts
---
Yes, but since I run my own name servers, I could easily setup the IP
address of my mail server to respond to a reverse query with one of the
domains listed in his whitelist. Granted, RDNS is more difficult to forge
then say HELO or MAILFROM, but is still fairly trivial if you run your own
name
Pete,
It's not redundant because the two by themselves only check for strings
of two, while the combination checks for strings with one of each in
succession. This way, if they go back and forth between the two, it
will get caught as long as there is a . or @ between them, or as
long as it
I have this line in my sender.eml file:
SKIPIFVIRUSNAMEHAS Fizzer
However, The sender notice is still being sent and starts off like this:
The Declude Virus software on our mail server detected the the
W32/[EMAIL PROTECTED] virus
!!!
I know, because one particular address always bounces
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Not only do you need your own nameservers, but you also need your upstream
to delegate authority for the reverse DNS entries to you. So any open
relays or open proxies will not have forged reverse DNS. Then, there are
the
Ahh. Understood. I got confused by our rules where we code for a single
instance restricted to the URL. (Can't do that without wildcards). All
good then. Great work!
_M
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of
|Matthew Bramble
|Sent: Monday,
Keith,
I still haven't applied the patch, but will report back when I do.
Regarding that one problem customer posting their entire directory on
the Web; you might want to suggest that they either URL encode or HTTP
encode their entire address in the MAILTO tags and displayable text on
their
Bill Landry wrote:
Still does not make it wise to share whitelists on a public forum. However,
if you are promoting a whitelist exchange on this list, so be it; however,
it's not a practice I plan to participate in.
I have less than 500 addresses being used on my server and only about
250
Someone typed in a message about deleting email that is to postmaster email
which are basically junk messages sitting in the spool directory and now I
can't find it. Anyone remember the subject so I can find it?
TIA
---
[This E-mail was scanned for viruses by Declude Virus
- Original Message -
From: Matthew Bramble [EMAIL PROTECTED]
Still does not make it wise to share whitelists on a public forum.
However,
if you are promoting a whitelist exchange on this list, so be it;
however,
it's not a practice I plan to participate in.
I have less than 500
Bill Landry wrote:
Hmmm, you seem to be missing the point. Spammers monitor these spam lists
in order to learn how to subvert spam filters, so why make there jobs any
easier and your user any more vulnerable?
None of this stuff is a big secret, and besides, pretending to come from
a domain like
Delete based on specified content
Danny Klopfer wrote:
Someone typed in a message about deleting email that is to postmaster email
which are basically junk messages sitting in the spool directory and now I
can't find it. Anyone remember the subject so I can find it?
TIA
---
[This E-mail
I've been reading the recent threads and someone mentioned it a bad idea
to post employee email addresses on their company webpage because of
spammers or bots harvesting them.
Isn't this a little bit paranoid or am I just naive? Isn't it a pretty
common practice for a company to list emails
Dan,
The best practice is to advertise generic addresses, and don't subscribe
such addresses to anything. Then you know that harvested addresses will
likely be those on your site, and you can weight them higher, or fail on
a lower score, whichever. At least that's what I do. I also
I manage both our public sites and our mail server, so I've consistent direct evidence
of this
harvesting. The quick workaround is to use JavaScript to display the addresses. Most
bots won't
bother to figure it out.
Keith Purtell, Web/Network Administrator
VantageMed Operations (Kansas City)
Hi,
Is it ok to do this:
REVDNS -35 ENDSWITH .ebay.
and it'll pick up ebay.com, ebay.ca and etc?
What happens if someone has this as reverse spammy.ebay.spam.com? Will this
be valid too?
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came
We're not a very big company - about 35 employees.
I created an account for a new employee who wasn't due to start for 5 days
and added his e-mail address to the company directory on our web site. In
keeping with the insert expletive here corporate policy, the directory
listings are not
- Original Message -
From: Matthew Bramble [EMAIL PROTECTED]
None of this stuff is a big secret, and besides, pretending to come from
a domain like AOL or Amazon has resulted in spammers being sued
successfully. Clearly they already know the tactics and have used them.
And these
- Original Message -
From: Kevin [EMAIL PROTECTED]
Hi,
Is it ok to do this:
REVDNS -35 ENDSWITH .ebay.
and it'll pick up ebay.com, ebay.ca and etc?
No, in this case it will only match if the end of the line is a period .
I think what you want to do is:
REVDNS -35 CONTAINS
Is it ok to do this:
REVDNS -35 ENDSWITH.ebay.
and it'll pick up ebay.com, ebay.ca and etc?
No -- because ebay.ca doesn't end with .ebay..
You want REVDNS -35 CONTAINS .ebay..
What happens if someone has this as reverse spammy.ebay.spam.com? Will
this be valid too?
Yes. The
With all this talk of email addresses on web pages...
What is the best way to obfuscate them? HTML (how is this done?)? Java
(how is this done?)?
Todd Holt
Xidix Technologies, Inc
Las Vegas, NV USA
www.xidix.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
Scott,
Is there a limit to how far down a file the text filters will search?
I've come across a few examples where a text filter of:
BODY 0 CONTAINS base64
...didn't hit when it was actually in the message as text. In the most
recent example, this was 72,486 characters into the
Is there a limit to how far down a file the text filters will search?
Yes -- it will only check the first 32K of the E-mail.
Also, is there a fix available for the BADHEADERS 840a error? I get a
decent number of these every day, and they're often false positives (as
was discussed before).
Generally speaking, what are the bots looking for? Only mailto:'s? Or are they smart
enough to use a regex search and find any text of the form [EMAIL PROTECTED]?
Jason Wolfe
Lead Developer
Netcomm, Inc.
http://www.netcomm.com
(859) 224-4124
---
[This E-mail was scanned for viruses by Declude
Generally speaking, what are the bots looking for? Only mailto:'s? Or are
they smart enough to use a regex search and find any text of the form
[EMAIL PROTECTED]?
Sobig.F uses regexp to find addresses on cached web pages, so I would not
be surprised if tools spammers use to harvest addresses
Example...
SCRIPT LANGUAGE=JavaScript TYPE=text/javascript
!-- //
var grabthis = username;
var andthis = domain.com;
document.write(A HREF= + mail + to: + grabthis + @ + andthis + + grabthis
+ @ +
andthis + /A)
// --
/SCRIPT
Keith Purtell, Web/Network Administrator
VantageMed Operations
Ok, here's a easy one from a declude newbie.
Are the config files whitespace agnostic? Are tab and space the
same thing? can I have more than one separating the various columns of
parameters?
--
---
illigitimi non carborundum
I know this is a little late to the party. But I do think Spammers monitor
this list. A few weeks back I posted some IP addresses that I was receiving
spam from. I have not recieved a single spam from thoes servers since but
other users/domains on my server have.
I have them spamtraped so I can
Are the config files whitespace agnostic? Are tab and space the same
thing? can I have more than one separating the various columns of parameters?
In most cases, they are treated the same.
The two exceptions that come to mind are in filters (where BODY 0 CONTAINS
wordtab would only match
Thanks for the answers. I would imagine that it makes a lot of sense to
limit it at 32 K. The root of my issue then becomes Microsoft Word's
unbelievably bloated code. If they can't construct a simple E-mail
without 500% overhead in their tagging, I can see why Linux people laugh
about
They're still a work in progress of course, but most of the major
sources of FP's seem to have been fixed.
The major changes are that the tests have both been split into two
files, on for positives, and one for counterbalancing false positives.
This reduces the possibility of crediting too
Matthew,
Thanks that is what I was looking for. So is this basically what you did:
Change the postmaster alias to [EMAIL PROTECTED]
In the rule.ima have:
[EMAIL PROTECTED]:NUL
Thanks
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Matthew Bramble
If you're a small company with 5 to 15 people, then it's not as bad as a
company with hundreds of employees, or in the case of my client, thousands.
Against our advice, they placed their entire directory online for
convenience of their customers and it turned into a harvest festival for
spammers.
As far as the Microsoft update status, I've been granted a Microsoft
engineer who is paying us a visit this week to witness all of this for
himself.
Regarding that one problem customer posting their entire
directory on the Web; you might want to suggest that they
It's not on their web page
I just recently installed Declude JunkMail and while tweaking the weights
discovered the Digest version of this List fails the BADHEADERS test. Kinda
ironic, no?
Received: from declude.com [24.107.232.14] by mail.roycemedical.com with
ESMTP
(SMTPD32-6.06) id AAFF3A0002D6; Sun, 14 Sep 2003
The non-digest version fails BADHEADERS also. We whitelisted it here.
-Original Message-
From: Alan Walters [mailto:[EMAIL PROTECTED]
Sent: Monday, September 15, 2003 4:02 PM
To: Declude. JunkMail
Subject: [Declude.JunkMail] Declude List in Digest Mode fails
BADHEADERS
I
Keith, you have good stories. BTW, I was one of those folks working in
Corporate CYA America was a webmaster. I didn't last long. Couldn't
stand the way things worked. Our firewall administrator didn't even
know the basics of TCP/IP, and it took several weeks and meetings to
get him to stop
Keith, you have good stories.
I'm a novice in a group like this.
Anyway, I'm not sure if you were acknowledging my suggestion
about DNS or exploring it further. For the sake of this
Exploring further. I think network resources are used whether they exit the
machine or are passed
Keith, you have good stories.
I'm a novice in a group like this.
You must be doing something right to get MS to send an Engineer out to you.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED]
Just so people are aware, Network Solutions just hours ago made the dumb
move of making all unregistered domains point to their web site. As a
result, very little E-mail will fail the MAILFROM test in Declude JunkMail
(only E-mail from addresses on recently expired domains, and domains not
You must be doing something right to get MS to send an
Engineer out to you.
I doubt it has anything to do with us. It's more the fact that our one
client (who is only our client because of extremely good luck) has thousands
of Windows clients and a long-term Microsoft support contract that
Seems like the easiest solution is to block all email from domains that
resolve to 64.94.110.x The question is, how do we do this? (I'm still
learning... sorry if this is a stupid question.)
NS is going to make a lot of enemies doing this.
Just so people are aware, Network Solutions just
That should have been bleed and now I'm going to stop this off-topic
thread. Thank you.
won't do that for
any of our other clients.
What we do right is work hard, blees, beg and butt kiss. :)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This
Spammers put links in the body of messages and more recently are creating them by the
pound, changing to new ones multiple times/days. Is it possible to have a test that
checks the age of domain names in the body? This information is available from a
number of places:
Any more than they already have?? Its not a stupid move at all (if you
NetSol). The make all of their money on the ignorance of newbies that
just don't know any better. Once people realize what lyin', cheatin',
stealin' scum they are...you get the idea.
Do all of the unregistered domains
Good call Keith. I don't know what the proper address would be, but
the following article says that it can be blocked:
http://biz.yahoo.com/ap/030915/internet_typos_1.html
If you were correct, you would probably have to do this in your DNS
server. Maybe set up reverse DNS for that block.
I know those rules, but I don't percieve it to be the case. I've enclosed
the sender.eml, if you would please take a look at it.
Thanks.
-Mike
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Monday, September 15, 2003 10:17 AM
To:
Ignore my earlier reverse DNS thoughts, that doesn't make any sense :)
I certainly have my moments.
I think the article is also wrong by saying that DNS could be used to
defeat this. I'm betting that providers like AOL are just simply
configuring that block of addresses to point to their own
Open your sender.eml with notepad, then copy and paste into a new text
document.
Outlook treats this as an attached e-mail and messes with it.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED]
For now I've added:
REVDNS 10 ENDSWITH sitefinder-idn.verisign.com
to at least be able to add some weight to e-mail messages that use bogus
domain names and resolve RDNS for 64.94.110.11 to
sitefinder-idn.verisign.com.
Bill
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Oops, never mind, that's not going to work. Hmmm, back to the drawing board
on this one...
Bill
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, September 15, 2003 7:18 PM
Subject: Re: [Declude.JunkMail] A slight increase in spam not getting
I think a better filter might be:
BODY 100 CONTAINS verisign
HEADERS 100 CONTAINS verisign
HELO 100 CONTAINS verisign
MAILFROM 100 CONTAINS verisign
REMOTEIP 100 CONTAINS verisign
REVDNS 100 CONTAINS verisign
ALLRECIPS 100 CONTAINS verisign
SUBJECT 100
Yep, that should certainly cover all of the
bases! ;-)
Actually, what we need is a hostname lookup
filter:
HOSTNAME-ADDR
25 IS 64.94.110.11
If the hostname resolves to 64.94.110.11, then add
lots of weight to the message.
Bill
- Original Message -
From:
Matthew Bramble
On Sep 15, 2003, at 11:11 PM, wayne wrote:
In [EMAIL PROTECTED] Matt Larson
[EMAIL PROTECTED] writes:
Today VeriSign is adding a wildcard A record to the .com and .net
zones. The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT. The wildcard record in the .com
Another good test for this would be a mail domain
"A" recordlookup filter:
MAILDOMAIN
25 IS 64.94.110.11
That, combined with the hostname "A" record lookup
filter below, would take care of this stupid VeriSpam issue.
Bill
- Original Message -
From:
Bill
Landry
To:
That's what I mistakenly thought, at first. However, nothing will ever
connect to your server with the IP address of 64.94.110.11, so you should
never have the opportunity to resolve the IP to a name. Rather, they will
connect with a bogus hostname or mail domain, and the forward lookup (A
Interesting side effect of Verislime's move. Just setup a ip4r test that goes to a bogus domain and then all the bad addresses result in an answer of 64.94.110.11. Maybe this is how we can take advantage of this?
If i made an ip4r test of aklsjlajkdjkhskljdkjldhsjdshkhklshdkjl.comthen I'd
69 matches
Mail list logo
