Here are two links from antivirus vendors that describe the template the
Storm botnet has been putting out. These should be very useful in
crafting regexp to catch them all based on their body text.
http://www.f-secure.com/weblog/#1255
http://www.f-secure.com/weblog/#1255
FYI, both SORBS and UCEPROTECT stopped mirroring APEWS due to the low
quality of the list.
Also, the SANS ISC recently diarized an issue with the APEWS using one
of their sources in a manner they do not recommend:
http://isc.sans.org/diary.html?storyid=3189
Andrew.
Well, the easy part is answering your question about the domains.
Each of the payload domains was registered today, so whatever service
you're using to look up the registrations is probably using a database
at least a day behind.
I use (for example) this site to my satisfaction:
Bonno, you can do this, but probably not in a single filter file.
A couple of key points for advanced filter file usage:
You can define weights per tests in a filter file, and you can assign
weight to a whole filter file, and these weights are cumulative.
You can trigger a filter file even
Hello, Serge.
I'm happy to chime in here, but let me start off with saying that you
will get divergent opinions here, and that nobody will be absolutely
right, as our answers are coloured by own experiences, and each
implementation is unique.
I'll also start off with asking you for your current
Happy Holidays, David!
How about a shiny new all_list.dat to ring in the New Year?
Andrew.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at
If it is going on all the time, use the command line and issue:
netstat -b
which will show you the executable name and the connection.
If you need to narrow down the TCP connection over a longer period of
time, use the free TCPView from Sysinternals dot com (now a Microsoft
Technet site).
(another country heard from)
David... Chuck... the MAILFROM is going to filter based on the
server-side conversation (i.e. for IMail users, it will be the value
from the Q*.smd file, not any text in the D*.smd file).
The example that Chuck gave is going to be the From: line in the message
Chuck, was it just the prc.tqmcube.com that returned these?
I see on their own RBL checker web page that only the Peoples Republic
of China zone returns this error.
When I query their servers for a few test IPs, including 127.0.0.2, I
don't get an error or a positive response, everything fails.
And as a further best practice to what Matt is advising, I'll mention
that ideally you want to send all outbound mail from an IP that is
different from your inbound gateways. And that your outbound bulk mail
would be separate from both.
Andrew.
-Original Message-
From: [EMAIL
off for now.
Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Colbeck,
Andrew
Sent: Thursday, February 21, 2008 12:58 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail
Alexander, you are really citing two problems with your scale and
performance.
The first is that you have older hardware and lots of mailboxes. Where
do your CPU and disk spend their time? On antispam, or on servicing
connections and mailboxes?
The second is that your spam detection is less
Symantec says that backscatter-as-deliberate-spam-technique is back in
vogue. See their April State of Spam Report
http://www.symantec.com/enterprise/security_response/weblog/2008/04/post
_8.html
Andrew.
From: [EMAIL PROTECTED] [mailto:[EMAIL
David Barker said:
DEC ADD Added date, Time, Email, Spool name, Weight and Tests
failed
to the BLKLST log
Dave, the what log?
Andrew.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of David Barker
Sent: Thursday, March 27,
PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] 4.4.00 Released
Andre -
Colbeck, Andrew wrote:
David Barker said:
DEC ADD Added date, Time, Email, Spool name,
Weight and Tests
failed
Definition of: ohnosecond
That tiny fraction of a second it takes for you to realize you've just
made a big mistake on the computer. For example, you just clicked No
when prompted to save the document you've been composing all day. Or,
you just clicked Send, and forgot to delete the profanity
I use Alligate from Solid Oak Software, and I like it a lot.
On my primary gateway, I received just shy of 500,000 connections in the
last 24 hours, and my Declude only had to see 4% of that traffic. Yes,
4%.
I'm spending less time doing clever things in Declude, because Alligate
is
, 2008 6:15 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Mail Pre-Processor recommendations
Colbeck, Andrew wrote:
I use Alligate from Solid Oak Software, and I like it a lot.
as do I.
The really slick part is how it reduces bandwidth - it *very* accurately
distinguishes
One thing, Serge.
You don't need both TXT records. The one called mail is useless.
p.s. here's yet another SPF record checking website
http://www.kitterman.com/spf/validate.html
Andrew.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Serge
Sent:
Perhaps suing your partners is a Rich Person(tm) idea of good Corporate
Stewardship(tm). It certainly is a far cry from supporting, promoting,
and improving the product line, you know, the normal way a company Earns
Money(tm).
Andrew.
From: [EMAIL
Here's the answer, Todd.
http://www.mail-archive.com/imail_fo...@list.ipswitch.com/msg103112.html
It's an old problem with CBL and IMail. Certainly, CBL is at fault and
by now they should have at least taken up SPF record checking to weed
out false positives. I just checked your SPF record and
I'm another Alligate fan on the Windows platform. It is a very smart and
effective product.
I have conservative settings that stick close to the defaults and my
configuration rejects 80% of the inbound connections.Before I
implemented Alligate, my Declude was hurting because of my large filter
I'm replying here so as not to clutter the announcement thread.
The rationale for not using 127.0.0.1 is that the DNSBL is reflexive,
and 127.0.0.1 is conventionally resolved as localhost and querying for
localhost in a DNSBL is wrong, wrong, wrong.
Expanding on that, the 127.0.0/8 network for
Matt There aren't that many RFC hawks around here these days :)
... The wikipedia entry points to an early work, this draft:
http://tools.ietf.org/html/draft-irtf-asrg-dnsbl-08
Pete Odd that nobody complained about it before.
I hadn't implemented it yet... And I'm a complainer.
Andrew ;)
I wrote a batch file once on a number of the exchange servers that used
VBS and LDAP to generate a list of valid exchange recipients and then
FTP them to the server where a CF script parsed it clean.
Michael, it sounds like you were most of the way there.
Alligate does have the feature you
It may have been down when you looked, Andy. It's up now.
Also, I like to use this 3rd party for an instant second opinion:
http://downforeveryoneorjustme.com
Andrew 8)
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
David, are you there?
The FROMNOMATCH test introduced in 2006 checks whether the MAILFROM
matches the From: header.
I suggest an enhancement to reduce false positives: that the FROMNOMATCH
is suppressed if the Sender: header line is present.
The Sender: header line is used to indicate that
Flavour of the day:
Relevant bits of the header:
Received: from payoff.all-debt-forever.com [173.192.161.27]
Subject: Stay on top of your credit report
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Header has DKIM.
Network allocation
I have the same position as Scott.
I find that the MessageSniffer product from ARM Research is the most reliable
test at catching spam from freemail accounts. Second best is a URI product, but
much of the spam from freemail accounts is scam text that doesn't have a URL,
or the spammer
servers
On 12/6/2010 2:47 PM, Colbeck, Andrew wrote:
I have the same position as Scott.
I find that the MessageSniffer product from ARM Research is the most
reliable test
snip/
Hotmail in particular would be less effective for the bad guys if I
had an
antispam tool that would determine from
From: Colbeck, Andrew acolb...@bentallkennedy.com
Sent: Wednesday, December 08, 2010 5:52 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo
and other free account blacklisted servers
Thanks, Pete and Scott.
As always, Pete
[mailto:supp...@declude.com] On Behalf Of Colbeck,
Andrew
Sent: Thursday, December 09, 2010 12:26 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and
other free account blacklisted servers
Harry, the snippet I included was the literal text, you
For what it's worth, I still test against REVDNS and it's never been
worth a HOLD action all by itself.
I score it at 25% of my HOLD weight threshold.
Reverse DNS lookups can go through a lot of lookups; if their DNS is too
slow and doesn't respond, you will inadvertently score against them
Dave, the target IP address is a really old spammer block according to
SpamHaus:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL79159
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL79123
Do you have a URL scanner? It should have picked off this one sample.
Besides the Zero Day component of
Rich, PCRE searches against BODY can be very expensive, particularly when you
do a .* expression, which will try to match very long strings.
You can give your CPU a break by changing .* to a judicious text size
restriction e.g. .{5,100}
body 0 PCRE (?i:^http\:\/\/.{5,100}\.(html|htm|php)$)
Sometimes a cigar is just a cigar.
Look at the order of your lines. You have a duplicate pair of weight4
lines between your 7 and 8 pair.
Andrew 8)
-Original Message-
From: IMail Admin [mailto:imailad...@bcwebhost.net]
Sent: Wednesday, August 17, 2011 4:56 PM
To:
Rick, you have a space between the colon and the YES and, if I remember
correctly, AOL does not put a space there.
#Email from AOL which they believe is spam
HEADERS 0 CONTAINS X-SPAM-FLAG:YES
On the other hand, there is a case-sensitive flavour that comes out of
SpamAssassin, and AOL
Don, if it's the I/O speed of an SSD that catches your interest, and
have RAM to spare (and some CPU), you could try a free virtual hard
drive (up to 650 MB) from StarWind:
http://www.starwindsoftware.com/high-performance-ram-disk-emulator
This would be an easier experiment than installing an
I don't see anything wrong there, Scott.
When I run it through The Regex Coach, I did have to remove the spaces
at the end of the line in your email and then it did work. So, make sure
there is no whitespace at the end of the line in your test file? Make
sure the filter file really is running and
If you know the header contains an exact string on a single line:
HEADERS 1 PCRE (?m:^Message-ID:blahblahblah)
Set the score weight as you like.
If you want to do a case-insensitive search, change ?m: to ?im:
If the text inside the blahblahblah would match regexp reserved strings,
I took a further look this morning, I have 116 samples from 113 unique
IP addresses from Jun 30 through Jul 03 inclusive.
These really are from Yahoo! and are digitally signed.
The Message-ID really are unique as they should be, and they should be
constructed by a Yahoo! server, possibly based
Ben, check the archive website here
http://www.mail-archive.com/declude.junkmail@declude.com/ for the mail you’ve
missed.
Andrew.
From: SM Admin [mailto:imailad...@bcwebhost.net]
Sent: Tuesday, March 05, 2013 10:10 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why
but got no response and
couldn't find any other contact information.
Anyone able to correct or illuminate me?
Thanks,
Ben
- Original Message -
From: Colbeck, Andrew mailto:acolb...@bentallkennedy.com
To: Declude.JunkMail@declude.com
Sent: Wednesday
What we really need is a test that would do a whois... and that would identify
newly registered domains.
Dave, I'm not sure what further you're after, as you specifically mentioned
spameatingmonkeys.com and one of their tests seems to fit your bill exactly:
If you upgraded to Declude 4.11.09 to avoid the AVG licence issue, you’ll find
that it was a bandaid, and that build’s usefulness also expired
contemporaneously with David and Linda’s employee status, on January 31, 2013.
C:\IMailstrings decludeproc.exe| grep LicBeg
LicBeg, Ver=1.1,
You'll want to fetch this zipped version:
https://www.declude.com/version/extras/IP/all_list.zip
Inside is the all_list.dat dated April 7th, 2013.
Make a backup copy of your existing all_list.dat, and then overwrite it with
the all_list.dat inside that zip file download.
Andrew.
601 - 646 of 646 matches
Mail list logo