On 1/13/2012 10:39 AM, Scott Fisher wrote:
One Hotmail spammer peddling Chinese drugs
is consistently getting through.
There just isn’t enough wrong with the
emails to get it stopped.
Â
One oddity
All of my samples have been send to madscientist@
From: Pete McNeil [mailto:madscient...@microneil.com]
Sent: Friday, January 13, 2012 10:10 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] regex help needed
On 1/13/2012 10:39 AM, Scott Fisher wrote:
One Hotmail spammer
On 1/13/2012 11:24 AM, Scott Fisher wrote:
All of my samples have been
send to madscientist@
Sorry, I don't have them.
If they were not zipped then it is likely the message got stripped
out by existing rules.
If they were zipped perhaps they are just slow
Apparently I’m catching them on the way out with clamav .
Resending now
From: Pete McNeil [mailto:madscient...@microneil.com]
Sent: Friday, January 13, 2012 10:50 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] regex help needed
On 1/13/2012 11:24 AM, Scott Fisher wrote
On 1/13/2012 12:03 PM, Scott Fisher wrote:
Resending
now
Ok I got it and we identified a few additional vectors to throw at
this. SNF should catch more of these now, and the SortMonsters are
looking at additional vectors as our supply of samples grows. At
.
David
-Original Message-
From: Rick Davidson [mailto:rdavid...@nat.com]
Sent: Thursday, November 03, 2011 10:38 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Regex Greed Issue
well based on your response I guessed you couldn't reproduce it with the
example I sent
will send the log entries and sample messages directly to support
--
Rick
-Original Message-
From: David Barker [mailto:dbar...@declude.com]
Sent: Friday, November 04, 2011 6:33 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Regex Greed Issue
You could try restricting
[mailto:rdavid...@nat.com]
Sent: Friday, November 04, 2011 11:30 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Regex Greed Issue
The character limits do work, that is how I originally tested it, looking for
a better solution I consulted our lead programming nerd, he hipped me
Hi Rick,
Are you sure your regex catches the long URL how did you test it ?
David
-Original Message-
From: Rick Davidson [mailto:rdavid...@nat.com]
Sent: Thursday, November 03, 2011 6:38 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Regex Greed Issue
I am trying to
Subject: RE: [Declude.JunkMail] Regex Greed Issue
Hi Rick,
Are you sure your regex catches the long URL how did you test it ?
David
-Original Message-
From: Rick Davidson [mailto:rdavid...@nat.com]
Sent: Thursday, November 03, 2011 6:38 PM
To: Declude.JunkMail@declude.com
Subject
://payoff.all-debt-forever.com/78a7d79a040f797d40213817450579288
Andrew 8)
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Friday, July 23, 2010 6:40 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Regex to block
On 7/27/2010 2:10 PM, Colbeck, Andrew wrote:
Flavour of the day:
Relevant bits of the header:
Received: from payoff.all-debt-forever.com [173.192.161.27]
Subject: Stay on top of your credit report
Thanks -- coded some rules, will be looking for abstract opportunities.
Also coded several
I strongly suggest not doing this exact test. Scott's is more refined,
however it's still not refined enough to not have false positives.
This spammer is better caught by his boundary, for example:
Content-type: multipart/alternative;
On 7/23/2010 2:29 PM, Matt wrote:
This spammer accounts for about 7% of all E-mail that makes it to my
deep scanning layer. Sniffer seems to miss a good deal of their spam,
so there isn't much protection from it otherwise.
Matt -- Is it possible for you to zip up some samples from this guy
PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Regex to block this?
I strongly suggest not doing this exact test. Scott's is more refined,
however it's still not refined enough to not have false positives.
This spammer is better caught by his boundary, for example
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Regex to block this?
I strongly suggest not doing this exact test. Scott's is more refined,
however it's still not refined enough to not have false positives.
This spammer is better caught by his boundary, for example:
Content-type
Pete,
Will do. I call this spammer Whitestone, but there is another very
prolific spammer that also has the same volume named BlooSky Interactive
(real company name) that is also frequently missed. I'm guessing that
they aren't landing in spam traps to the same degree as some others, or
On 7/23/2010 6:37 PM, Matt wrote:
Pete,
Will do. I call this spammer Whitestone,
Much appreciated. I'll take a closer look with the team to see what we
can do to close these guys down better.
Thanks!
_M
--
President
MicroNeil Research Corporation
www.microneil.com
---
[This E-mail
I guess my point here is that they are both very high volume spammers,
and they both randomize sufficiently so that blocking them requires
blocking their domains and having the samples available, but putting in
proactive rules will only last a short time. What Sniffer may need is a
better
On 7/23/2010 9:19 PM, Matt wrote:
I guess my point here is that they are both very high volume spammers,
and they both randomize sufficiently so that blocking them requires
blocking their domains and having the samples available, but putting
in proactive rules will only last a short time.
Hi Dave,
Give this a try it is what you have asked for. Test it first to see if it
gives you the results you are looking for.
(?i:href=.+\.com/[a-z0-9]+)
David
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Tuesday, July
I might fine tune it a bit.
I've only seen length 37 and 38 characters after the tld
It is only lower case hex codes so you can exclude (g-z)
I've seen lots of .info and a few .nets as additional tld.
Very active spammer here
(?i:href=.+\.(com|info|net)/[a-f0-9]{37,38})
-Original
Thanks. David's regex worked well. I'll give the fine tuning a try.
Also, all of this spammer's domains are in DNS servers ns1.domainsite.com -
ns4.domainsite.com.
I might fine tune it a bit.
I've only seen length 37 and 38 characters after the tld
It is only lower case hex codes so
I would say you have it pretty much down. If I did it I would have this
(?i:as.{0,2}seen.{0,2}on.{0,2}(?:oprah|60.{0,2}minutes))
You have an extra . between seen and on
David B
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent:
David,
Thanks. For the life of me I did not see that extra period.
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: 2009-02-18 12:39
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Regex
I would say you
Stupid question but where/how can you use regEx in Declude?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Friday, October 22, 2004 4:46 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] regEx question
Ok, I'm a bit of a newbit
I saw code in here on how to remove HTML tags:
http://juicystudio.com/tutorial/vb/regexp.asp
- Original Message -
From: Matt [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, October 22, 2004 3:45 PM
Subject: [Declude.JunkMail] regEx question
Ok, I'm a bit of a newbit with regEx
You can only do this with an external test that you create yourself.
Matt
Mark E. Smith wrote:
Stupid question but where/how can you use regEx in Declude?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Friday, October
- Original Message -
From: Matt [EMAIL PROTECTED]
Ok, I'm a bit of a newbit with regEx and I could really use some help
with this one. I know how to detect all of the HTML in a file by using
[^]*, but I'm not sure how to detect everything but the HTML. Could
someone please help me
Bill Landry wrote:
Matt, you might try using the invert-match flag: -v
-v, --invert-match
Invert the sense of matching, to select non-matching lines.
Unfortunately that isn't an option in VBScript. What I was really
trying to do is return a string with just the HTML and not
- Original Message -
From: Matt [EMAIL PROTECTED]
Unfortunately that isn't an option in VBScript. What I was really
trying to do is return a string with just the HTML and not what is
before, after or in between it. When you execute a regEx expression in
VBScript, it returns the
Bill,
It is limited as far as regEx goes with programming languages, and any
sort of chaining is done one step at a time and requires you to code
loops and do string manipulation to get what you are after. There's a
big difference with how command line switches and chaining works with
the
32 matches
Mail list logo
