[Declude.JunkMail] Good filter?

There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343

RE: [Declude.JunkMail] Good filter?

This problem was posted to the list a few weeks back. This regex seems to work well for that. It is in the latest FILTER-SPAM. (?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}) http://|www).+/.(com|info|net)/%5ba-f0-9%5d%7b30,40%7d) From: supp...@declude.com

[Declude.JunkMail] Spam Routing and IP 6?

Hi, I may be barking up the wrong tree. But since the following email only had a single IP v4 hop to our Imail, I can't see how this could possibly be caught by spamrouting - unless there is some confusion on how to treat the IP v6 address address: Received: from SDKENG01.dkeng.co.uk

re: [Declude.JunkMail] Good filter?

Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support

RE: [Declude.JunkMail] Good filter?

Here is another one: gseo35.pennyonello.info/132694139742636427312a49fad18963925fb I've deleted all the previous and hopefully won't get any more after implmenting the filter David sent. I would still like to be able to block URIs by the DNS server or Registrar used. There may be some

RE: [Declude.JunkMail] Good filter?

ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com

RE: [Declude.JunkMail] Good filter?

Provided the prefix to these is either www or http:// the regex will trigger on these From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter?

RE: [Declude.JunkMail] Good filter?

Hi David, I think it will FP though - Here is an example: http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120 ed17cc24cd3567fd4396424914.gif with some tweaking I think it could be very effective though We have been wacking the guy w/sniffer General and dnsbl tests. I

RE: [Declude.JunkMail] Good filter?

Does the source have a space or different character after the end of the string ? we could look for a space. or a or (?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[])) David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday,

RE: [Declude.JunkMail] Good filter?

Would checking for the DOT, followed by one or more characters, at the end of the long string serve to eliminate the false positives? _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, October 18, 2010 10:57 AM To:

RE: [Declude.JunkMail] Good filter?

Dunno - I just grepped my logs to find the FP. You will have to get some complete examples to test on. Maybe do a COPYTO on any emails that fail your regex and then fine tune out the false positives. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International