I was wondering if it was possible to use the REVDNS on a per user basis.
Unfortunately, this is not possible -- whitelisting based on the reverse
DNS entry is currently only available as a global option.
We have a client who wishes to recieve coolsavings.com newsletter while
most others
I'm hoping someone can point me in the right direction. I'm looking for a
way to parse the IP Address out of the Spam Log file, DecMMDD.log. Then, I
would like to tally the amount of messages received from each unique IP
address.
I'm using the option LOG_OK NONE in the config file so only
If you have the Win32 UNIX tool (if not, you can get them at:
http://unxutils.sourceforge.net/), you can run the following script:
grep From: spam\dec1119.log | gawk {print $(NF-2)} | usort | uniq -c |
usort
which will produce output like:
86 38.113.200.29
88 38.113.200.28
94 207.244.68.34
Is it me, or does that look more like a Bill the Cat quote than a bunch
of piped commands?
ack spam.log | phhhbbbpppth | gawk Oop ack!
:)
Bill Landry wrote:
If you have the Win32 UNIX tool (if not, you can get them at:
http://unxutils.sourceforge.net/), you can run the following script:
Is there a way I can get JunkMail Pro to not scan outgoing mail? I've
already commented out all of the outgoing actions, but I have a client
that is a large association, and their outgoing mailers are kicking my
server's butt.
Matt Robertson
I'm not very good with these unix tools in general, but my set of unxutils
doesn't include usort, and if I try using sort instead, I get a steady
stream of errors from gawk.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bill Landry
Sent: Thursday, 20
Hi;
We are concerned
with a product we are about to release to our client organizations and need to
know if anyone has any advice on how we should protect the company against
listing in the spam lists..
We are going to
offer our clients the means to send newsletters to their donors via
If you have volume, someone somewhere is going to have this stuff
submitted to SpamCop and MailPolice, and even some of the addresses may
well now be used as a spamtrap (remember, we're dealing with human
administrators).
The E-mail addresses will also be quite dirty because I'm guessing that
I just installed the demo (Tuesday I believe) and I have it set to warn
only. My plan is to move everything with a weight of 20 or above to a 'spam'
folder in each users webmail. I may be able to do 15, so far the highest
legitimate mail we've seen was 14.
Looking at what's coming in, I'm getting
ya, i'm getting the same error:
R:\decludelogs\spamgrep From: dec1119.log | gawk {print $(NF-2)} | usort | uniq
-c | usort
'usort' is not recognized as an internal or external command,
operable program or batch file.
has any one got this to work?
Thursday, November 20, 2003, 2:56:49 PM, you
It kinda works if you use sort instead of usort. But beware, it's not quite
accurate.
Grep will break it down to records in which have the From: line in
it. When Gawk executes, it will respond with the 2nd to the last field,
which is fine unless your log is like mine. Sometimes ID: will have
I don't care how much you monitor, you are NOT going to get a 100%
capture rate with no false positives. If there was a way to do that,
Scott would be a millionaire by now, and have twenty or thirty death
threats from spammers. You can get close, like maybe a 90% or 95% if
you're super particular,
[I post to this list from my day job address]
Have a new host called
jrny.tv
At http://www.dnsstuff.com/tools/lookup.ch?name=jrny.tvtype=MX
all looks kool - it points to my servers vtbass.com
But the servers never get the mail...
At http://www.dnsreport.com/tools/mail.ch?domain=jrny.tv
I
At http://www.dnsreport.com/tools/mail.ch?domain=jrny.tv
I get:
Getting MX record for JRNY.TV... Got it!
Host Preference IP(s) [Country] mail.jmy.tv. 20 65.201.175.144 [US]
mail2.jmy.tv. 50 65.201.175.144 [US]
So it seems jrny.tv gets switched to jmy.tv and this guy's mail gets
sent to jmy.tv?
Running JunkMail since May 2002. I've done a
bit oftuning on test weights, am using Sniffer
andseveralfilters,contra-filter, and blacklistof my own
based on false-positives that I find on my own accounts, but I haven't done near
the amount of tuning that some have done. I delete on
I'm using the option LOG_OK NONE in the config file so only those
messages marked as spam should have their IP addresses in the log file
where did u set this option? what config file are you referring to?
ken
Thursday, November 20, 2003, 11:18:48 AM, you wrote:
CC I'm hoping someone can point
Glenn:
What we do is simply a
negative weight for newsletters.We review the weights of 20-60 and delete
on 60.
Newsletters typically
fall between 20-40 range and if we find them we simply add them to our negative
email list or for the legitimate ones like Cato or other organizations we
I just saw that. No question my fault.
Date sent: Thu, 20 Nov 2003 17:29:21 -0500
To: [EMAIL PROTECTED]
From: R. Scott Perry [EMAIL PROTECTED]
Subject:Re: [Declude.JunkMail] OT DNS question unable to receive mail
Send reply
Hi..
This just came
in.. definitely NOT eBay not caught as SPAM.. filters are in
order.
HEADER
=
Received: from
rainer.bnt.com [12.4.218.18] by foroosh.com with ESMTP (SMTPD32-8.04)
id A2D2B700C2; Thu, 20 Nov 2003 17:40:18 -0500Received: from
Bill has pointed out that you must rename the unix 'sort.exe' command in the
archive to 'usort.exe'. This way, it won't conflict with the Windows 'sort'
command. Then his scripts will run as posted.
--
Scot
- Original Message -
From: Chuck Cahill [EMAIL PROTECTED]
To: [EMAIL
Kami,
Your Body URL filter caught /pics/ in this message (just once
though). Even though that didn't cause it to fail, a site that includes
this in each of their links could easily go over the delete weight on
your system as it stands right now without a MAXSCORE feature. Just a
heads up as
Thanks for pointing that out Scot, guess I should have clarified the file
name change with my last post. Sorry for the confusion.
Bill
- Original Message -
From: Scot Desort [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, November 20, 2003 3:20 PM
Subject: Re: Re[2]:
Just wondering if/how y'all are faring with SPAMC32, and thought I'd
post my SPAMD local.cf:
--BEGIN LOCAL.CF--
# How many hits before a message is considered spam.
required_hits 3.0
# Whether to change the subject of suspected spam
rewrite_subject 0
# Text to prepend to
Kami,
Would you care to share your FILTER-BODYURL filter? I'm
interested in seeing what you filter on -
Thanks!
-Nick Hayer
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject:[Declude.JunkMail] This
Hmmm, didn't realize that the ID was missing at times. However, you cannot
count the fields in the other direction because of the possibility of
multiple To e-mail addresses on the line. Chuck, try this modified script
and see if it will work better for you.
grep From: spam\dec1119.log | cut -d
I agree with Matt's analysis, the payload link is the one that points to
cgi5-update[dot]com, and that text could be banned with a JunkMail Pro text
filter.
The IP address embedded in the long verification HREF is a tracking bug.
By viewing the message in HTML, the webserver at that IP is logging
Considering Kami's latest find and the general need to protect our
customers from this type of thing which is even worse than a virus to
the unknown, I have packed up two filters that I have been testing out
for a while with very good results. These things target eBay, PayPal
and credit card
Thanks guys, that all helps. I took the plunge and changed the settings from
'test mode' to 'effect everybody' mode! Now hopefully management will like
it enough to buy it after 30 days. Maybe after 25 days I'll turn it off just
to remind 'em...
~Brad
-Original Message-
From: [EMAIL
The product is only as good as the administrator :)
Actually, that really is mostly true.
With a single domain, if you get the Pro version and install some custom
filters, I see no reason why you can't get well above 99% blocking with
less than a 0.1% false positive rate. That would likely
I should have tested this better before publishing, but I introduced
errors in both files, one that could score @LINKED on some forwarded
E-mails, and one that could credit too much back to to those same
messages. The net result was only 2 points extra scored on such an FP
or 3 points
The problem with body filters is the big performance hit the server takes in
high volumes setups.
Comments?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Matthew
Yep, I try to use them very sparingly, myself.
Bill
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, November 20, 2003 6:16 PM
Subject: RE: [Declude.JunkMail] @LINKED IPLINKED v1.0.2 - Great for scam
detection
The problem with
To save on processing, you can do the following:
@LINKED - Chop out the ccTLD's and only leave the gTLD's (over 200 lines
saved). Also, you can also shorten all of the IP w/@ strings to just
two numbers (10 through 99, be sure to include 10 and remove the dots)
which would save another 150
Lite versions of the mail filter files are now included for both filters
in the same zip file (no version changes). Just use the alternate files
in place of the main filters, don't mix. Since I haven't checked these
for the potential of FP's, be very cautious, especially with the @LINKED
John wrote:
The problem with body filters is the big performance hit the server
takes in high volumes setups.
Comments?
Or big filters. As an experiment I took the Imail domain blacklist
(17000 entries) and turned it into a mongo BODY CONTAINS filter file.
It worked magnificently. The flow of
35 matches
Mail list logo
