[Declude.JunkMail] test
ping --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Habeas Porn
Yes. At 03:45 PM 2/27/2004, you wrote: Has anybody seen the crazy amount of porn spam being sent with the Habeas headers? --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Habeas Porn
At 04:41 PM 2/27/2004, you wrote: Today's related counts: My own Habeas filter: 17 HIL: 258 Number of my Habeas filters tripped that were in HIL: 1 Number of my Habeas filters tripped on my porn filter: 9 You know - it's probably crossed a mind or two - but it needs to be said. Is it now time to use the Habeas test as a weighted indicator for spam? _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Nigerian Filter Creator Helper
Hello Kevin, Friday, January 23, 2004, 12:37:37 PM, you wrote: KB I have been testing Kami's Nigerian filter and found that in 3 days it KB flagged 56 email and only caught out of 5 nigerian scam emails. KB I do not see this as a fault of Kami's effort but a fault of filtering. Some KB of the line are very common in ligitimate email. I even lowered all the KB weights to match our weighting scores. We will not be using it. Once I did KB that then the nigerian scam email did not get enough weight to be flagged KB properly. KB For the effort it is not worth the results, in my opinion. Sniffer has a number of rules for nigerian scam email. So far we've never had a reported false positive for one of those rules. Perhaps the reason is that we can provide more complex filtering matching combinations of phrases from different segments of the message. _M __ Peter G McNeil (Madscientist, CodeDweller) President, MicroNeil Research Corporation. Chief SortMonster, www.SortMonster.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] restricted mailing?
Hello Paul, Matt Thursday, January 22, 2004, 1:36:55 PM, you wrote: M Paul, M This isn't something that I would generally try to promote M because ofthe complexity of maintaining it in most cases, but for M one's owndaughter, it might make perfect sense. Something of course M though wouldneed to happen that caused her to get spam though, so M it might not benecessary at all. M You would need the Pro version to do this of course, and M instead ofweighting things to her address, what you would do is set M up aweightrange test covering almost everything and then use M actions (HOLD,ROUTETO or DELETE) in a per-user JunkMail file M according to theManual. Whitelisting will prevent an all inclusive M weightrange testfrom taking action on an E-mail. snip M What I'd like to be able to do, isblock all mail to a certain M account, except from those addressesspecified via AUTOWHITELIST. M Kind of a 'parental control'. Let's say Igive my daughter an email M address, I only want to allow mail fromfamily + friends, but those M I specify in her contacts list within thewebmail, so using M Declude's AUTOWHITELIST ON, I can weight all mailcoming in to her M mailbox, say, 100 or so, waaay above delete range, butbecause of M the address, it would be delivered. Does that make sense? We've been experimenting a PL (Private Listcode) methodology for these scenarios. Specifically, all messages for a particular user (domain usually) are blocked unless a PL code is present in the message. The PL code is a random sequence of characters like a password. The group that uses the code freely passes it around between them. Since no spammer has the code it can't be abused. The code usually goes into a signature. If the code becomes compromised then a new code is made up. We usually create a PL code in Sniffer, but the methodology works without it - In Declude you would use WHITELIST ANYWHERE plcode, and block everything else. Hope this helps, _M -- Best regards, Peter G McNeil (Madscientist, CodeDweller) President, MicroNeil Research Corporation. Chief SortMonster, www.SortMonster.com mailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OBFUSCATION filter
Ahh. Understood. I got confused by our rules where we code for a single instance restricted to the URL. (Can't do that without wildcards). All good then. Great work! _M |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Matthew Bramble |Sent: Monday, September 15, 2003 12:40 PM |To: [EMAIL PROTECTED] |Subject: Re: [Declude.JunkMail] OBFUSCATION filter | | |Pete, | |It's not redundant because the two by themselves only check |for strings |of two, while the combination checks for strings with one of each in |succession. This way, if they go back and forth between the two, it |will get caught as long as there is a . or @ between them, or as |long as it is URL encoding followed by HTML encoding. I left out the |other way around because it was only a two character string, ;% and |wanted to protect from FP's. | |I do appreciate the feedback though...I do of course make mistakes. | |Matt | |Pete McNeil wrote: | | Matt, | | It appears that your coding for a combination of http url encoding | in urls is redundant since you capture both types |individually. It's a | small optimization, but worth mentioning. | | _M | | At 07:46 PM 9/14/2003 -0400, you wrote: | | I've posted a newer version of the OBFUSCATION filter on my site. | This contains the removal of the attachment thing and also the | removal of 6 (of over 100) tests in order to be more |forgiving, sans | the PayPal issue. | | |http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003 | c.txt | | | If you find any false positives with this besides the Ticketmaster | one that I've already counterbalanced, please let me know. I would | imagine that posting to this group would be better than PM's unless | others mind having discussion here. That way everyone would know | about any issues ASAP. | | Thanks, | | Matt | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bogus comments
Not quite right. Normal HTML does often contain comments, usually generated automatically as a deubgging aid for the developer. Normal HTML does not usually contain comments that break up words like fr !-- catch me if you can -- ee (note that I added a space after fr and before ee to be sure Message Sniffer filters wouldn't catch this accidentally. _M |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |interactiveaustria |Sent: Friday, September 12, 2003 1:14 AM |To: [EMAIL PROTECTED] |Subject: [Declude.JunkMail] Bogus comments | | |Hi, | |is there a possibility to test for (bogus) comments with |Declude.Junkmail (I'm using the lite version)? Something like | |V!-- hfa --I!-- kfk --A!-- sak --G!-- jkd --R!-- hdg --A | |Anyway, a normal HTML Mail should not contain any comments |at all (is that right?), so that could be a 100% indicator for spam. | |Best wishes |Michael | |+--+ || interactiveaustria | || Michael Tobisch EDV-Dienstleistungen | || Wiesengasse 12, A-8160 Weiz | || Tel +43 3172 4930| || GSM +43 664 2126941 | || EMail [EMAIL PROTECTED]| || Web http://www.iaa.at| |+--+ || Kundeninformationen per E-Mail: | || http://www.iaa.at/kundeninfo.asp | |+--+ | | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] scrambled url in source of e-mail
Title: Message For one thing this is a great way to filter spam. There is no good reason to encode part of a url, or for that matter to encode "normal" characters. So, anything with %30%37.biz is _ALMOST_ certain to be spam. We have been testing a number of rules like this already with great results. I see no reason that rules like this can't be made in IMail or Declude directly since they tend to be very simple and short. Hope this helps, _M Chief Sortmonster (www.sortmonster.com) "The more they rethink the plumbing, the easier it is to stop up the works - Scotty" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Thursday, September 04, 2003 9:33 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] scrambled url in source of e-mail How does one deal with scrambles source in the e-mail. For example I find the following address: www.%3982%30%37.biz I like to us the address in my filter file but am not sure if the scrambled form will work as I assume there must be a translation going on when this code gets processed thanks Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W.Kitchener, ONN2M 1L2 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark SmithSent: Thursday, September 04, 2003 8:43 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Placing Weight in Header Duuuh.. Why didn't I think of that. FWIW, if you just put Weight: %WEIGHT% in the header then you might be breaking RFC's. There should be an X- before your "Weight"linewhich will denote a comment line. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GlobalWeb.net WebmasterSent: Thursday, September 04, 2003 8:25 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Placing Weight in Header we use , in our global.cfg file, XINHEADERWeight: %WEIGHT% so you could out in yours: XINHEADERX-DECLDUE-WEIGHT:%WEIGHT% Sincerely,Randy ArmbrechtGlobal Web Solutions, Inc.804-346-5300 ext. 1877-800-GLOBAL (4562) ext. 1http://globalweb.net -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark SmithSent: Thursday, September 04, 2003 7:39 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Placing Weight in Header Is there any way to place the total weight in the SMTP header? Something like: X-DECLUDE-WEIGHT: yyy
RE: [Declude.JunkMail] More and more email getting past Declude
They're not getting past everything - we show a rejection rate of greater than 75% almost consistently... not to say that the problem isn't getting worse though. http://www.sortmonster.com/MessageSniffer/Performance/FlowRates.jsp We have seen a significant and apparently consistent rise in the rate of new spam since about a week ago - conciding with the closure of Osirusoft... probably largely a matter of more reports rather than simply more spam - but significant none the less. http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp _M -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 9:21 AM To: Declude JunkMail (E-mail) Subject: [Declude.JunkMail] More and more email getting past Declude Is it just me or have spammers found other ways to get past scanners? I've been getting slammed lately with more and more spam that is getting past declude without a single hit. Greg Foulks NewFound Technologies, Inc. [EMAIL PROTECTED] http://www.nfti.com 614.318.5036 attachment: winmail.dat
RE: [Declude.JunkMail] OT: Declude notification and SoBig assault.
Message Sniffer has rules in place for this (about 30+ of them). We've also lifted the delay restriction on the demo license temporarily so that ANYONE can get this protection by running the demo license (sniffer2.snf) with Declude Junkmail. BE SURE TO DOWNLOAD THE LATEST VERSION OF THE RULEBASE - http://www.sortmonster.com/MessageSniffer/Try-It.html I am about to take off the group differentiation temporarily so that Declude can be set up to test for the specific rule group result for malware under the demo license. (We will keep the restrictions off of the demo license (sniffer2.snf) until the biggest problems with Sobig are over.) That result code for the malware rule group is: 55. USE CAUTION! We _think_ we've got good filters in place for all variants of sobig.f, however we have seen minor changes showing up and nothing is perfect. We do seem to be catching almost all of it though... Hope this helps, _M |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of junk mail |Sent: Friday, August 22, 2003 12:48 PM |To: [EMAIL PROTECTED] |Subject: Re: [Declude.JunkMail] OT: Declude notification and |SoBig assault. | | |We are only running Declude JunkMail is anyone setting up any |rules to filter out the SoBig virus other than using Declud |virus software. | |Thanks, |Dom | | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: RE : [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?
Please forward a copy of the newsletter to me ([EMAIL PROTECTED]) as an attachment and I will adjust the rule base (if appropriate). This is a service we provide by default to each subscriber, but we also - in general - code the core rule base to avoid false positives whenever we hear about them and the choice is widely applicable. Your assistance is greatly appreciated. Thanks, _M |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |[EMAIL PROTECTED] |Sent: Thursday, August 21, 2003 7:38 AM |To: [EMAIL PROTECTED] |Subject: RE : [Declude.JunkMail] Alligate vs. Message |Sniffer...opinions? | | |Hi, | |Message sniffer is not so bad as I tested it but have a big |problem with News letter it has a bif False positive rate with them. | |Regards |Mehdi Blagui | |-Message d'origine- |De : [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] De la part de |Matthew Bramble Envoyé : jeudi 21 août 2003 03:32 À : |[EMAIL PROTECTED] Objet : Re: [Declude.JunkMail] |Alligate vs. Message Sniffer...opinions? | | |John, | |I just joined the list today, but I found your configuration file from |back in June and it was very helpful in understanding how to fine tune |Alligate. I'm going to study it's logs more closely before I |start that | |phase though, looking for false positives. I've turned that test down |to 3/10 of failure and reduced several other tests by 1/10 to 2/10 of |failure in order to accommodate it (BADHEADERS for instance). |It seems |to get most of it's scoring from technical-type stuff instead of the |heuristics, and if this is the case, I don't think that a scaled test |would be that much more useful to me. If I could score the |content and |obfuscation, and just those things, I wouldn't be double counting the |technicals, and that should reduce some false positives. | |I don't want to knock Alligate, it has some nice functionality, |especially when used without Declude (auto whitelisting and digest |notification), and it does what it says, but it has a relatively high |false positive rate in the default configuration and therefore |it can't |be scored higher than it is on my scale. If they could get the auto |whitelisting and digest notification to work with Declude, that might |make me a buyer. I'm still looking for more information on Message |Sniffer within this context. | |I've looked at AutoWhite and will probably give it a try, but I can't |find any information on Match. Would you care to share a link? | |Thanks, | |Matt | | | | |John Tolmachoff (Lists) wrote: | |As one of the earlier testers and helped develop the variable |scale of |Alligate, I can understand your position. I have a client that gets a |lot of |e-mail from the Far East and a lot of bcc broadcasts and |lists. Many of |these show elements of spam, but are legit. That is what |makes it hard. | |There are a number of adjustments available in Alligate. You |might want |to |look over my config file I posted earlier today. | |One thing I do for this specific issue is I use 2 programs. One is |Match, |which is very simple but does need to be revised. The other is |AutoWhite. A |30 demo of AutoWhite is available at |www.eservicesforyou.com/products/autowhite.html. Match is free. | |While everyone can have a unique setup, please let me know if |you would |like |to spend some time going over the possible configurations in Alligate. | |John Tolmachoff MCSE CSSA |Engineer/Consultant |eServices For You |www.eservicesforyou.com | | | | | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] re: Strange logging
I caught this when my log analyser told me that I have a test called SPAM07/02/2003 snip This does seem to happen occasionally when several processes are appending to a text file in a very short period of time (not just with Declude; it happens with IMail SMTP32.exe processes as well). My guess is that when an internal OS buffer gets hit, rather than waiting for it to clear, the OS just saves part of what it is supposed to. -Scott We also see this quite a bit with Message Sniffer logs. Consistently the logs from Winx systems have these kinds of odd mergers. The only way to solve it is to serialize access to the log files - which slows things down so we don't do it. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Mail Client with Redirect Command
At 07:27 PM 6/27/2003 -0400, you wrote: Can anyone out there recommend a Windows based email client that supports the redirect command ?? I believe The Bat! does that. _M
Re: [Declude.JunkMail] Incredimail
At 10:31 AM 6/28/2003 -0700, you wrote: Is anyone blocking these content rich fun E-mails? I've had customers using the program have a raft of problems, the latest seems to be ISP's bouncing the Email based on the incredimail tag in the headers. We had some early rules show up due to spam from incredimail and done using incredimail. We quickly had to abandon those rules due to false positive reports. It was very short lived. (sigh) _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Numeral SP00FING
We tried some generalized patterns in Message Sniffer at first, but always found too many false positives in the analysis. Now we just wait for an instance to come by and it's coded in the next update (usually within a couple hours). No false positives for these codings so far... but of course they are specific and it takes time to do this work... _M At 04:57 PM 6/18/2003 -0700, you wrote: I also considered something universal like every combination of letters next to numbers, but there are to many legit messages with codes, even if limited to the subject. It would work if the test were smart enough to measure the ratio of letters to numbers. Good luck with that. Dan On Wednesday, June 18, 2003 15:32, Markus Gufler [EMAIL PROTECTED] wrote: ST0P Paying T00 MUCH for 1NSURANCE Easy to stop, but its silly to make tests for every word in the dictionary. Anyone have some already assembled? Our latest Alpha-Version of SpamChk has a new test called DigitsInWord. At the moment it's not very reliable because we have to finish the implementation of complete MIME-support. Until now this test catches also certain encoded strings that commonly contain digits and so will produce false positives. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Leading space
At 08:57 AM 6/12/2003 -0500, you wrote: Hi I'm using whitelist anywhere as a poor man's whitelist to, since I can't justify the upgrade to Pro. I've got the line: whitelist anywhere nick@ in my global.cfm (I want to whitelist [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], etc.) Unfortunately, that also catches [EMAIL PROTECTED] Can I force there to be a leading space character, so that only [EMAIL PROTECTED] triggers the whitelist? You may not be looking for a space anyway. In a header you would likely see the address as [EMAIL PROTECTED] so you might try whitelist anywhere nick@ It's not perfect but I think it will work. Scott will correct me if I'm wrong. Hope this helps. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Held Spam Management
On a separate topic, I'm curious to know how everyone handles the spam which makes it into the imail\spool\spam directory. My current implementation of Declude JunkMail Pro is enabled for only 5 domains. A couple of those domains have only been active for a week. We have about 100 domains on our IMail server so I can't imagine what it's going to be like when I roll this out on a large scale. We hold spam for some period of time (typ 2 wks). If a false positive is suspected then we perform a search for the missing message using simple file search tools and if we find the message we adjust our Message Sniffer rules and other settings to compensate. Copying the message back into the spool directory (both D Q files) gets the message delivered. ( Typical adjustments would include blocking black rules, adding white rules, or adjusting the weights on some tests. Most often the case is adding a white rule for a list that may include advertising content or perhaps is sent by a gray hoster. ) Some systems allow the user to perform the search and delivery functions themselves and then reports false positive information based on their activity. These systems may also make automatic adjustments such as the addition of white rules based on the headers in the message etc... it's all dependent upon the technical capability of the system administrator(s). We never do any review of the messages held in the spam folder except when performing research and training functions for our Message Sniffer product. As an ISP, we would probably never review this content. As a small business or corporate office we might do a weekly search for common keywords of interest and review only that content as a safe guard. guessing that one route I could take is to take a DELETE action on spam which has a particularly high weight. Given the DJM default weight is there any weight which people have decided is a good DELETE weight. Is there anything else I'm not thinking of? With Message Sniffer there are some categories of messages (such as Porn/Adult) that are generally safe to delete. Declude allows you to treat each of these categories differently. You can take the same approach with other tests in Declude with varying degrees of confidence. For example you may find that a particular test or rbl never causes you any false positives and so you could choose to delete on those tests. It's tougher to be sure about deleting messages based only on weight, but certainly worth a try given the statistics that are posted by Declude. There appears to be a VERY high level of confidence and accuracy at the high weight levels when a wide range of tests are applied. I recommend you start by reviewing the latest statistics posted by Scott and look at the simulated tests (WEIGHT 10 and WEIGHT 20). Your mileage may vary but you might feel safe establishing a delete weight that matches the top 10 - 20 % of the messages you stop with Declude given the tests that you use. After watching this a while you could adjust that number downward to capture more for deletion. There are no _absolute_ weight values to recommend since every installation of Declude and every system's tolerance for error is different. I hope these suggestions are helpful to get you started. _M Pete McNeil (Madscientist) Chief SortMonster (www.sortmonster.com) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Easy way to add power and flexibility.
Wouldn't it make sense to follow this logic... Do the positive weight tests (black tests) first in highest to lowest weight order. If the action threshold is reached then skip to the negative weight tests (white tests) in the same order but keep your place so you can resume if needed. If a negative weight test drops the weight below the action threshold then bounce back to the positive list and continue where you left off until you finish or break the threshold again. Allow the system to bounce between black and white tests until the value stabilizes. Also include the optimization rule that the white tests never get run or resume if either the current weight is below the action threshold or the sum of the remaining tests would be insufficient to force it back across the threshold. Include a similar rule for the black tests. The result will be a system that adapts to the tests that are available in real time, only running the tests required to produce a determinate result. This is based on self organizing automata principles. It allows the population of tests to interact with eachother and reach a stable equilibrium in their environment (a determinate result) even when the population of active tests is unknown before each instance of run time. It sounds more complicated than it is. _M PS: In declude there is a wrinkle with this methodology. Since all DNS based tests are fired at once up front there is no obvious way to resolve the ordering of these tests... but this _might_ be solved by recognizing that most DNS interactions are UDP based... so it would be possible (and relatively inexpensive) to launch the queries for all of the potential DNS based tests up front, but to reserve the evaluation of each result in the appropriate order... if the system reached a state where the some of these tests were not going to be evaluated then those threads would simply die with no harm. Only Scott knows how his code is structured so this may or many not be an easy thing to do. I'm presuming it would be easy if each test were fired in it's own thread since that thread would spend most of it's time waiting (sleeping) for a response and the evaluation of that response could be encapsulated in a result check method for the test. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, June 04, 2003 2:02 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Easy way to add power and flexibility. Forgive the intrusion (I just troll here, don't actually have JM yet), but this idea seems flawed. If you quit testing once a certain weight has been reached, wouldn't you cut off further testing that might reduce that weight? In a system where a score can go up and down depending on the test, unless there is a way to order the tests so negative weighted tests are run first, I'd think that all tests must be accounted for. Welcome Kurt. Yes, I agree with you. That is way I have stated my hesitation at having this available, either as an option or feature. The weighting system is the weighting system and should be allowed to work in its entirety. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] whitelist and mult rcpt
In the interim, a less complex method might be to have a setting which will ignore a white list entry for an address if more than one recipient is specified. This might take the form of a special kind of whitelist entry. Most valid messages to postmaster, for example, only have postmaster as the recipient. I know this would be less complicated than splitting up the messages. I wonder if there is a clean way to intercept message retreival or final delivery (better) with a program like a second pass of Declude or another utility like Message Sniffer. I'm not close enough to the guts of IMail to know if this is practical, but it might significantly simplify this problem. Any ideas Scott? _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED] Behalf Of Karen Oland ]Sent: Thursday, May 29, 2003 12:57 AM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] whitelist and mult rcpt ] ] ]We've been getting a lot of spam in the last week or so that ]bypasses all ]our spam filters -- they are all copied to the postmaster@ ]account for our ]domain. Apparently, they are taking advantage of the common ]practice of ]whitelisting the postmaster and the inability of spam ]filtering programs to ]separate actions on messages sent to multiple users. No ]doubt, it won't be ]long before most messages do the same, rendering both your postmaster ]account and spam filters useless. ] ]I know it has been asked for before and said to be ]impossible (programmer ]speak, for don't want to do it -- I know, being one), but ]PLEASE consider ]creating multiple copies of messages that arrive for multiple ]recipients, so ]that the spam filters can operate (yes, this means some ]complications, but a ]little trickery could reduce problems -- for example, only ]making a copy for ]the recipient(s) that are whitelisted). ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wishlist reminder... :-)
You may not always want to do this. Some apps learn from white-list entries so if you were to prevent them running when a message was white-listed you would prevent some of that function. In many cases it might be ok, but not all to be sure. _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED] Behalf Of Bill Landry ]Sent: Tuesday, May 27, 2003 8:41 PM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] Wishlist reminder... :-) ] ] ]Scott, with talk recently of optimization and efficiency, and ]where certain ]tests should be conducted to save on CPU cycles. I was ]thinking that one ]way to gain efficiency would be to NOT run Declude and third-party apps ](SpamChk, AlliGate/SpamManager, Sniffer, etc.) on whitelisted ]e-mails (virus ]scan only). This would not only greatly reduce CPU ]requirements, but also ]greatly cut down on log file sizes for Declude and third-party apps. ] ]Secondly, what about spam filtering messages before virus ]scanning, and if ]the message accrues a weight high enough to be deleted, then ]delete and do ]NOT virus scan the message. However, if it meets hold or ]deliver weights, ]then virus scan the message before final handling. ] ]Any thoughts on when or if this either of these notions will be ]entertained...(please, please, and pretty please)? ;-) ] ]As always, thanks for a great product! ] ]Bill ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Obfuscated Addresses
Be careful about this... Be sure that if you create a black rule for this kind of thing that you capture the href= part as well or else you will have quite a few false positives - generally from subscribed lists published by larger bulk houses. URL Encoded web links (partially encoded or fully encoded) are common in the extended portions of image and other links in these kinds of messages - probably as tracking measures. This was our experience anyhow... Hope this helps, _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED] Behalf Of Dan Patnode ]Sent: Sunday, April 06, 2003 1:54 AM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] Obfuscated Addresses ] ] ]For those you who track obfuscation techniques: ] ]Besides ]http://% ] ]be sure to add a test for ]http://w%77w. ] ]it case the actual address starts with http://www. ] ] ]Dan ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Message Sniffer Demo Updated.
For those of you who are evaluating Message Sniffer, the rule base for the evaluation version has been updated. You can get the newest distribution on our Try-It page at the following URL: http://www.sortmonster.com/MessageSniffer/Try-It.html If you have already downloaded the distribution for testing with Declude you will only need to replace your sniffer2.snf file so that you are evaluating with the most current rule base file. Hope this helps, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster, www.SortMonster.com VOX: 703-406-2016 FAX: 703-406-2017 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Message Sniffer Demo Updated.
Appologies for the confusion. (O/T) This is an artifact of having dragged the file onto my windows desktop from a mapped FTP folder. The FTP server is running Linux and Windows has a habbit of misreading the date/time on those files when mapped this way. The odd year is harmless. When I access the file via Samba (Windows Networking) from the same server the date reads 3/28/2003 as it should. Thanks for the heads up. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of | Grant Griffith | Sent: Friday, March 28, 2003 4:23 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Message Sniffer Demo Updated. | | | Why is the file dated 3/28/2002??? I am talking about the | sniffer2.snf file | in the zip... | | Sincerely, | Grant Griffith, Vice President | EI8HT LEGS Web Management Co., Inc. | http://www.getafreewebsite.com | 877-483-3393 | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] Behalf Of Madscientist | Sent: Friday, March 28, 2003 3:36 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Message Sniffer Demo Updated. | | | For those of you who are evaluating Message Sniffer, the rule base for | the evaluation version has been updated. You can get the newest | distribution on our Try-It page at the following URL: | http://www.sortmonster.com/MessageSniffer/Try-It.html If you have already downloaded the distribution for testing with Declude you will only need to replace your sniffer2.snf file so that you are evaluating with the most current rule base file. Hope this helps, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster, www.SortMonster.com VOX: 703-406-2016 FAX: 703-406-2017 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Not Failing the comments test
The Message Sniffer rule for this is also being adjusted/broadened. _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry ]Sent: Wednesday, March 26, 2003 9:09 AM ]To: [EMAIL PROTECTED] ]Subject: Re: [Declude.JunkMail] Not Failing the comments test ] ] ] ]I assume this didn't fail the comments test because it is actually not ]formatted like a true html comment !--some comment ] ]That is correct. ] ] !pNcTpTxGpDsYxVNtNsvMbEBbWbhHmKgDm ] ]That isn't an HTML comment. It is a made-up HTML tag. ] ]However, the next release should have a way to automatically ]get around ]fake HTML tags, so that you can still filter the text that they try to ]break up. ] -Scott ] ]--- ][This E-mail was scanned for viruses by Declude Virus ](http://www.declude.com)] ] ]--- ]This E-mail came from the Declude.JunkMail mailing list. To ]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]type unsubscribe Declude.JunkMail. The archives can be found ]at http://www.mail-archive.com. ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting test results
| What we are doing is to track the 2000 (user configurable) | most recent spammer | IP addresses. The list is maintained as an MRU style list | (sorted with the | most recent at the top). If incoming messages reach a user | defined score, the | IP address of the spammer is added to the list. snip | Here is what we found. After about 3 weeks of data | collection, only about 1 in | 400 incoming spams is identified by a DNS lookup, and NOT on | the list of the | 2000 most recent spammers. Also, of all the spams we receive | on all accounts, | about 43% are on the recent spammer list, meaning that almost | half of the | spams we receive are from senders that have spammed us before. snip This is one of the capabilities we're buiding into Message Sniffer v3. Our testing has shown similar results, however there are some complexities with these tests particularly where gray sources are found. As a result our implementation will resolve the IP address other network centric tests first as features of the message. These features then become part of the input stream for the bayesian hinting engine. (It should be noted that the bayesian hinting engine is really more a blend of fuzzy logic, neural networks, and naieve baysian learning techniques... it's just easier to use the current buzz-word to describe it...) So far our simulations indicate some profound accuracy imrpovements when new spam arrives, and surprisingly also when non-spam from gray senders arrives. The early analysis indicates that the learning engine is picking up second and third order patterns associated with these message features... This has the effect of gating the effect of some heuristics which are ambiguous under other circumstances so that they only count when they can be accurate. It seems obvious that as a weighted test, the top n most used IPs are a good bet - similarly a suggestion for research would be to apply a logarithmic scale to the MRU list position and use that as a weight... This scheme can be particularly useful if the list is dynamically scaled because the relative weights of different list positions can be maintained as the number of entries on the list changes... This is a similar mechanism to our Rule Strength analysis which is used to gate out rules that are currently inactive. (See http://www.sortmonster.com/MessageSniffer/Performance/CurrentRuleStrengt h.jsp) Another important factor we have found for these kinds of tests is that there tends to be a periodicity to message rates from some networks... the result of this is that in a linear MRU paradigm some networks will appear and dissappear from the list resulting in late blocking on the same period. That is, a batch of unwanted content will come through and cause the IP to go to the top of the list, but then the flow falls off and the IP is dropped. Next time unwanted content comes in from that IP it is let through the filter for a time because the IP is not on the list... shortly it will be blocked again but during that build up time a significant amount of the content might be delivered. A counter to this pulsing effect is to develop in increasing persistence to the more highly listed IPs so that they tend to stay on the list through the down period. Another important balance for persistence however is to reduce it's effects based on any ambiguous or false positive hits... in fact it turns out that this persistence reduction should have a persistence of it's own so that periodic false-positive indications can be suppressed when there is mixed content from the source. Note that periodicity, gating, and persistence mechanisms are useful on may heuristics - not just IP based tests. I hope these thoughts spark some new ones the prove helpful... :-) _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good ISP?
Recommend switching to Savvis/Bridge. They have been our primary for years and they are awesome. hth, _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode | Sent: Tuesday, March 11, 2003 2:19 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Good ISP? | | | I've decided, for moral and blacklist avoiding reasons to | switch from XO, an ISP now friendly to spammers. Are there | many good ISP left that I can switch to? Below are all the | ISPs I've confirmed profesional spammers being hosted on with | dedicated IPs. Multiple entries indicate multiple spammers. | Below that is Spam Haus' list. My oppologies for mass | mailing so much content, but I think it is valuable to the | cause. Please cut off the lists if replying: | | Thanks! | Dan | | | | | 186k | 3 Jane | 3WCorp | 3WCorp | 4q LLC | Abovenet | AC_ESS RESOURCE SERVICE | Aesir | AGIS | AIA | AITT Music Inc | Alpha-Omega | Anything Email, Inc | Aptimus Inc | Argent Investment | ATT WorldNet | ATLIGHTSPEED | AVH Communications | above | adcnap | adcnap | adcnap | ai | aibusiness | aibusiness | aibusiness | alchemy | alchemy | alchemy | aleron | american-telesis | appliedtheory | aschwebhosting | atlantic | atlightspeed | att | att | att worldnet | att worldnet | attcanada.ca | australia | avh communications | avh communications | avh communications | avh communications | Bay Com_uters | Beanfield Technologies | Bell Canada | BestNet | BestNet | Broad River Communications | Broadband Highway | BroadbandONE | Broadwing Communications | barak.il | bayarea | bblabs | bellsouth | bellsouth | broadspire | broadspire | broadspire | broadspire | broadspire | broadspire | broadwing | broadwing | broadwing | California Regional Internet | CBB | CBB | CBB | CBB | CBB | CBB IN | CERFnet | CERFnet | Cogent Communications | Commecial Web Page | Cube Computer Corporation | Custom Offers | CW | Cyberfuse Technologies | Cyberfuse Technologies | c1.ca | c1.ca | c1.ca | c1.ca | cable wireless | cais | cais | cais | cais | cais | cavecreek | cavecreek | ccom | ccom | cerf | cerf | chinacomm.cn | ciberlynx | ciberlynx | ciberlynx | ciberlynx | ciberlynx | ciberlynx | ciberlynx | ciberlynx | ciberlyxn | cisdc | city-guide | cogent | cogentco | cogentco | cogentco | cogentco | cogentco | conxion | covad | covesoft | cpus1 | cw | cw | cw | cwie | cwie | cybercon | cybercon | cybercon | cybercon | cybercon | DE | DEBT MANAGEMENT ASSOCIATE | Digital Access Systems | DSGI | DST Group Inc | Durelon Corp | datapipe | datapipe | datapipe | datapipe | deltanet | deltanet | dialtone | ECOCOM TELECOMMUNICATIONS | Edge Connections | Electronic Network Holding Inc | Entry Inc. | Epana Networks | Epoch Networks | Euniverse | EuroBackBone | Europa Global Investments | Everyones Internet | Everyones Internet | Everyones Internet | Executive PC, Inc. | Exodus | Exodus | Exodus | Exodus | Exodus | Extra | e-development | e.spire Communications, In | e2 Communications | eli | eli | eli | eli | eli | eli | eli | eli | equiptd | europaglobal | europaglobal | europaglobal | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | exodus | Family Serv Agcy | Fastcolo | FORWARD | Free Yankee | fdn | fdn | fdn | fdn | fishy, range needs more info | fnsi | freeyankee | freeyankee | Giant Rewards, Inc | Giant Technologies | Global Crossing | Global Crossing | genuity | genuity | genuity | genuity | genuity | genuity | genuity | ggn | gt.ca | HarvardNet | Harvest Marketing | Highstakes Marketing PL | Hong Kong | Hong Kong | Hooked Inc | hiflightinternet | highspeedholdings | highspeedholdings | highspeedholdings | highspeedholdings | highspeedholdings | highspeedholdings | home.eircom | hooked inc | hostremote | hostremote | ICOnetworks | INTERBUSINESS | Inforonics, Inc | Infracnet | Interliant | Interliant | Interliant | Internap Network Services | Internetive | Interop Show Network | IRIDES, LLC | Irvine IDC | ibm | idt | inflow | inflow | infolink | infolink | infolink | infolink | infolink | infracnct | integratedmar | interbusiness.it/ | interbusiness.it/ | interbusiness.it/ | interbusiness.it/ | internap | internap | internap | internap | internap | internap | internap | internap | internap | internap | internap | internap | internap | internap | internap | internap | internap | intersatx | intnet | iWay Broadband | JoeTek | John Mehr | jtel | jtel | Karin Sample | LL Importating Services | Level 3 | Level 3 | Level 3 | Logic Webhosting | Lynch International | level 3 | level3 | level3 | level3 | level3 | level3 | level3 | level3 | level3 | level3 | level3 | level3 | level3 | level3 | level3 | level3 | long shot test | MECH POST | Media Unlimited/BAY9 | Membership Management | Minerva Network System | Minerva Network Systems | Mzima Networks | Mzima Networks |
RE: [Declude.JunkMail] Good ISP?
Hmmm... just noticed that savvis.net was in the bottom of that list. (I know it's odd replying to myself - did it to keep the thread...) I have first hand experience with their zero tollerance policy. I'd be curious to understand the source of that listing. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Madscientist | Sent: Tuesday, March 11, 2003 3:18 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Good ISP? | | | Recommend switching to Savvis/Bridge. They have been our primary for | years and they are awesome. | | hth, | _M | --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] A Question of Ethics
1. We are providing the data as a necessary service - the decisions about how that data is applied are out of our hands. I would hope that they would be used in an enlightened way, and in our shop we do that - however the discretion and the definition of enlightened is up to the ultimate owner (see 2) of those facilities. 2. In corporate and similar environments, the facilities provided to employees are entirely under the domain of the owners (== those paying the bills) and therefore they are entitled to monitor anything about those facilities and how they are used. My $0.02 _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED] Behalf Of Dan Patnode ]Sent: Wednesday, February 26, 2003 7:20 PM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] A Question of Ethics ] ] ]I realize this is two questions in one day, but its a slow list day, so: ] ]Rather than deleting spam, I forward it tagged or to a shared ]mailbox, clients choice. I just found out that within a week of ]starting my my anti spam service (delivery choice 2), a company ]fired an employee for receiving tons of porn via email. They also ]have web monitoring in place so this was the last piece to their ]puzzle, but... ] ]How does everyone feel about our role playing Big Brother against ]employees? ] ] ]Dan ] ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] A new feature idea.
Scott, One of the protocols we're developing for SortMonster includes a waiting period for messages from untrusted/unknown servers. The idea is that if the message or it's source are producing malware or other unwanted content then a delay would give detection systems and filters a chance to adapt. It seems like it might be possible for Declude to implement a tool like this without a huge effort. Please correct me if I'm wrong. The protocol is simple. Maintain a hash table of previous mail sources. When a message arrives which is not in the table, move it to a delayed processing queue. After a user defined period of time (from a few hours to a few days) the messages in the delayed processing queue are processed as if they had just been recieved. In theory, messages from a spammer moving to a new domain, ip, or routing would be delayed by this protocal. By the time their messages were processed the ip4dns lists, content filters, and other tests would have adapted to their new configuration so their message would be blocked. Any legitimate content would be untouched with the exception of a delay on the first message. Sources for messages that do get blocked for any reason are removed from the known/trusted list so that their content continues to be delayed. A more sophisitcated implementation would adjust the delay based on the circumstances. This protocol is intended to adapt to spammer's increasing practice of rapidly moving to new domains in order to take advantage of the delay in ip4dns list detection. Is this something that would be desired/possible/practical for Declude to implement? Thanks, _M Pete Mcneil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Message Sniffer Information
]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED]]On Behalf Of Keith Johnson ]Sent: Monday, February 17, 2003 9:01 AM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] Message Sniffer Information ] ] ]I wanted to gain some advise on using message sniffer. It seems ]to be (from forum comments) to be an awesome product. Is the ]message sniffer database of know spammers kept up on their end and ]the test within declude checks it? Is the test quick per 10,000 ]emails? Thanks for the info. We maintain the database continuously and provide multiple updates per day. Typical scan times for Message Sniffer are ~140ms per message. Some systems/messages are much faster, some are a bit slower. (Ranges between 30ms and 300ms depending on CPU speed and message size). You can view live statistics on message flow rates at: http://www.sortmonster.com/MessageSniffer/Performance/CurrentFlowRates.jsp Strictly speaking the database is not for known spammers as much as it is for known spam patterns, domains, behaviors, etc... Hope this helps, _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] how much is junk?
The average spam/ham ratio for reported logs in Message Sniffer is 70%-75%. That is, 70%-75% of messages on average are spam. This is a small sample (about 20 systems on average) but it has been a very consistent range. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of paul | Sent: Thursday, February 13, 2003 2:37 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] how much is junk? | | | Ok guys, what do you see in ratio of junk vs good mail per | day? Do you get | more junk than legit? Here I notice we're killing more than | 50% of incoming | mail. Average messages processed per day range from 13K to | 23K. Using the | log analyzer I found that January we processed 615,082 | messages, and 53% we | deleted by Declude, that's alot! | | Granted, near daily updates to my kill file and filters help boost the | number. | | Paul | | | --- | [This E-mail scanned for viruses by Declude Virus] | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] copy all inbound/outbound mail
You could write a psuedotest for Declude which would handle archiving all messages fitting a particular profile - or all of them. The utility would see everything and would be integrated just like any other external test. We've experimented with a few knowledge base training systems like this using Message Sniffer to categorize the content with a special rule base. For you purposes I'll bet something simpler could work great - perhaps even a simple script. Just a thought, _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Dan | Spangenberg | Sent: Friday, February 07, 2003 5:26 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] copy all inbound/outbound mail | | | I know this has been discussed somewhere, either here or in | the imail list, | but I can't seem to find it. | How can I copy all inbound and outbound email for a specific | user or users | and then possibly for a complete domain? For incoming mail, | I know to use | the ., in the forward field in imail user admin, but not sure how to | accomplish it for outgoing. And not sure how to do it for an | entire domain. | | Our need is to monitor a couple of specific imail users, and | secondly we are | considering archiving all email for a domain. | | Is there anything in declude to help me with this? | | Thanks | Dan Spangenberg | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude JunkMail v1.67 (beta) released
That's quoted printable stuff. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan | Sent: Tuesday, February 04, 2003 10:14 AM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Declude JunkMail v1.67 (beta) released | | | Hi; | This Comments filter is already working great. It is | catching the trick | quite nicely. Great job.. | | Any plan to also add the variation of this trick -- simply: | | =2Ecom=2F | http=3A=2F=2F | | Or the likes? These tricks are now causing our URL filters | not to be as | effective. | | Regards, | Kami | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Tuesday, February 04, 2003 10:00 AM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Declude JunkMail v1.67 (beta) released | | | | The test is defined in the global.cfg file as follows: | | COMMENTS comments 5 x 10 0 | | where the 5 means that 5 such comments have to be | encountered (the | 10 is the weight that will be added for E-mail that fails | the test). | Alternatively, you can use: | | COMMENTS comments weight x 10 0 | | OK, I must not be thinking correctly. | | I understand the first example but I'm confused on the | second example. | If I wanted to add 5 for every comment line found in a | message, and the | weight of the test is 10, wouldn't I put the number 5 where the word | weight is, thereby making the two comment lines identical? | | The formula for the weight that is added to the E-mail is: b | + n, where | b is the base weight of the test (10 in both examples | above), and b is | either 0 (in the first example) or the number of | anti-filtering comments | that are found. | | There isn't an option for a multiplier (so that an E-mail | with 20 comments | would get a weight of 100 and an E-mail with 40 comments | would get a weight | of 200). So you can't add 5 for every comment. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, | just send an E-mail to [EMAIL PROTECTED], and type unsubscribe | Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Message Sniffer holding all mail
| -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Smart Business Lists | Sent: Tuesday, January 28, 2003 2:36 PM | To: Bill Newberg | Subject: Re: [Declude.JunkMail] Message Sniffer holding all mail snip | well, that's the error that indicates you are not authorized. | just glancing at the web try xnk05x5vmipeaof7 instead of the zeroes | and see if that fixes it. But it should be the string that was in the | distribution you downloaded. | | usually MadScientist replies pretty quickly on these things. snip | Terry Fritts | Sorry I missed the flury of activity - I was working on rule updates and false positive adjustments - completely heads-down. Just to clear things up, you are on the right track. Version 1 did not pay attention to the authentication string. From version 2 and for now on the authentication string matches only one specific license - so it matters very much. The current demo version is actually a valid license for sniffer2 that doesn't receive updates as frequently as registered licenses. It has a specific authentication string... 000 won't work. The reason it doesn't fail messages in this case is that ERROR_RULE_AUTH is a fail safe error... Since the wrong authentication code was used, Message Sniffer gave up and passed all messages rather than causing a problem. For details on error messages and configuration please see: http://www.sortmonster.com/MessageSniffer/TechnicalDetails.html The Readme files in the sniffer2 distribution contain the correct authentication string for the demo. You should cut and paste to avoid typing errors. If anyone has problems configuring Message Sniffer please send a note to [EMAIL PROTECTED] We monitor the Declude list as much as possible but not always as a top priority. Sorry about the confusion. THANKS! _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [Declude.Virus] Mozilla email client
The next phase of Message Sniffer development includes a compound Bayesian hinting algorythm to help modulate the black/white rule set. Since Message Sniffer works with Declude that's one way this technology will find it's way into the mix. Scott's got a good point though - Bayesian filtering (as it has been implemented) tends to work well at very specific tasks... That is, you might get it to learn your specific email preferences accuratly - but once you get to the server level where there are many people involved the accuracy drops significantly due to the diversity of the message content and the difficulties in obtaining training data... this is why we will be implementing a structured differentiation approch. One direct application that might work for Declude... If you can solve the training problem you might use a Naieve Bayesian chain rule to combine the results of the declude tests... Specifically Declude could maintain a table of rule firings (including white black lists, white black word lists etc) and collect a statistical product on the combinations of rules that fire. Then it could interpret that data as a new test which adds or subtracts a weight given the Bayesian probability of that combination of tests being spam. For example, the Bayesian Product test would learn that a specific combination of rule firings has a high probability of being spam on a given system, while another combination of test firings has a lower or negative probability (given some threshold). Additional hiting can be providided by using the external list tests to match for patterns that may be specific to that system - or shared between the group. As Declude integrates a greater number of tests it's simple weighting scheme will become less effective and difficult to tune - a Bayesian approach to combining the test results might bridge the gap. -- just a thought, _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Thursday, January 23, 2003 3:29 PM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] [Declude.Virus] Mozilla email client | | | | I read about this Bayesian filtering/scanning at some other forum as | well. Is this something that Declude Junkmail does right now | or will do | in the | (near) future? Would be nice if it were a feature of the | scanner on the | server in stead of changing all mail client software? ;-) | | There was a very similar feature (the heuristics test), but | it proved to | be too unreliable when it came to mailing list E-mail. | | Although in theory the Bayes Theory should work very well in | detecting | spam, it does not in reality (for very technical reasons). | Using the Bayes | Theory for spam testing relies on a number of assumptions | that don't hold | true -- it's kind of like saying if Sports Team X wins 2 of | the first 3 | games they play, they have a 66% chance of winning the next | game. With the | right assumptions, this could be accurate or close to it, but | otherwise it | just isn't accurate. | -Scott | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude in PCMag
No price increase here :-) _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Heath | Sent: Friday, January 24, 2003 4:52 PM | To: Madscientist | Subject: [Declude.JunkMail] Declude in PCMag | | | Congratulations, Scott. Declude is mentioned in PCMag, | latest February 25th Issue, page 95. Sniffer is also in | the same listing. Suppose we'll see price increases now. | | big grin | | -- | Roger Heath | [EMAIL PROTECTED] | www.rleeheath.com | | -- | ActivatorMail(tm) ver.122102 Scanned for all viruses by | www.activatormail.com intelligent anti-virus anti-spam service | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] More more !--UserID--
]Something that we are also considering is a test that checks for more than ]X HTML comments in an E-mail (preferably just counting ones in the middle ]of words, such as unsub!-- user --scribe, rather than to !-- ]user -- ]unsubscribe, as the former prevents filtering whereas the latter ]does not). Based on our research this should be a very good test. In fact Message Sniffer rule #18545 is the 11th strongest rule in the system! (That's just one slot out of the top 10). Testing for html comments with non whitespace on each side is key. Testing the number of html comments in general DOES NOT work. Much html email is generated automatically these days with many comments emitted for debugging purposes etc. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hotmail, Yahoo, MSN, etc...
Agreed here - we've been working on various white-rules for these domains and each attempt has failed due to the amount of actual spam sourced from these servers. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Smith | Sent: Thursday, January 09, 2003 11:54 AM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Hotmail, Yahoo, MSN, etc... | | | I'd stay away from IP's because they can change all of the | time. But the problem still is that actual spam comes from those IP's. | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Markus Gufler | Sent: Thursday, January 09, 2003 11:48 AM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Hotmail, Yahoo, MSN, etc... | | | I'm not sure if I'm right with this: | Should it be possible to determine a list of IP-ranges from | the real outgoung smtp-servers of this popular domains, then | Declude probably can add a new test if this mail (using a | popular from domain) commes from one of this ip-ranges. | | Even if this ip-ranges are very wide (Class C or B) a lot of | spamming servers forging the recipients adress should be caught. | | Markus | | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Mark Smith | Sent: Thursday, January 09, 2003 5:32 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Hotmail, Yahoo, MSN, etc... | | | What is everyone doing about Hotmail, Yahoo, Juno and other | web-based mail systems? It's really a catch-22. Hotmail is so | frequently listed on RBL's and is a large source of spam but it's | also a large source of legitimate email. | | They all seem to fail postmaster and abuse so they're | already at 6-8 | points on most peoples Junkmail. You can't whitelist | them, and the | RBL's usually send them over the edge. | | I use Sniffer so I've thought about adding a rule for hotmail, | yahoo, etc to subtract the sum of postmaster and abuse and let | message sniffer do some magic on these sites. | | Thoughts? | | --- | [This E-mail scanned for viruses by F-Proto Virus Scanner] | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the | Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and | type unsubscribe Declude.JunkMail. The archives can be found | at http://www.mail-archive.com. | --- | [This E-mail scanned for viruses by F-Proto Virus Scanner] | | | | --- | [This E-mail scanned for viruses by F-Proto Virus Scanner] | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] External test question
Everybody's sysetm is different of course. I only offer those statistics as additional data. You might consider that since condtions change over time, and in particular spam rates for any given system tend to rise over time, you should be prepared for higher rates in the future. Hope this helps, _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED]]On Behalf Of Markus Gufler ]Sent: Sunday, January 05, 2003 8:32 AM ]To: [EMAIL PROTECTED] ]Subject: RE: [Declude.JunkMail] External test question ] ] ]Hi Madscientist, ] ]As I can understand we have a different situation here. ]I have no statistics about this but after weeks of research in smtp- ]declude- and spamchk-logfiles I'm 100% sure that we will never reach ]such a value. ] ]Assuming that with our current settings (declude + blacklists + spamchk) ]we're catching only 50% of all spams, (I'm sure the real value is ]appreciably higher) you can simply double the values in the ]ratio-diagramm of our spam-report. Then we have a max value of 60% ]during weekends and 20% during workdays. ] ]Markus ] ] ] ] -Original Message- ] From: [EMAIL PROTECTED] ] [mailto:[EMAIL PROTECTED]] On Behalf Of Madscientist ] Sent: Sunday, January 05, 2003 1:38 AM ] To: [EMAIL PROTECTED] ] Subject: RE: [Declude.JunkMail] External test question ] ] ] According to recently collected Message Sniffer logs, on ] average more than 70% of incoming email is spam. We have an ] extremely low reported false positive rate. ] ] _M ] ] ]-Original Message- ] ]From: [EMAIL PROTECTED] ] ][mailto:[EMAIL PROTECTED]]On Behalf Of ] Smart Business ]Lists ] ]Sent: Saturday, January 04, 2003 4:40 PM ] ]To: Markus Gufler ] ]Subject: Re: [Declude.JunkMail] External test question ] ] ] ] ] ]Saturday, January 4, 2003 you wrote: ] ]MG A.) With identified as spam you mean they reached the ] hold value? ]MG B.) With 2430 processed msgs you mean ] inbound + outbound? ]MG In this case 39% is a very high ] value if you've not some spammers ]MG as client that create ] outgoing spam. ] ]39% is about what we saw a year ago. Some ] days we're as high as 80% ]held. Our False Positives are ] usually under 4% of held. We manually ]inspect. ] ]Our stats ] for last 7 days (incoming only) ](both messages and spam have ] been down since 12/24 - ]I guess everyone has taken a bit of ] a vacation) ] ] ]DateFpFp% Held Total Held% ] ]== == = = == ] ]12/28/2002 5 0.94% 534841 63.50% ] ]12/29/2002 6 1.39% 432755 57.22% ] ]12/30/2002 13 2.23% 583 1,474 39.55% ] ]12/31/2002 10 1.74% 575 1,393 41.28% ] ]01/01/2003 7 1.59% 441796 55.40% ] ]01/02/2003 25 4.10% 610 1,546 39.46% ] ]01/03/2003 16 3.02% 530 1,492 35.52% ] ] ] ] ] ]Terry Fritts ] ] ] ]--- ] ][This E-mail was scanned for viruses by Declude Virus ](http://www.declude.com)] ] ]--- ]This E-mail came from the Declude.JunkMail mailing list. To ]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type ]unsubscribe Declude.JunkMail. The archives can be found at ]http://www.mail-archive.com. ] ]--- ][This E-mail was scanned for viruses by Declude Virus ](http://www.declude.com)] ] ]--- ]This E-mail came from the Declude.JunkMail mailing list. To ]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type ]unsubscribe Declude.JunkMail. The archives can be found at ]http://www.mail-archive.com. ] ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] External test question
According to recently collected Message Sniffer logs, on average more than 70% of incoming email is spam. We have an extremely low reported false positive rate. _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED]]On Behalf Of Smart Business ]Lists ]Sent: Saturday, January 04, 2003 4:40 PM ]To: Markus Gufler ]Subject: Re: [Declude.JunkMail] External test question ] ] ]Saturday, January 4, 2003 you wrote: ]MG A.) With identified as spam you mean they reached the hold value? ]MG B.) With 2430 processed msgs you mean inbound + outbound? ]MG In this case 39% is a very high value if you've not some spammers ]MG as client that create outgoing spam. ] ]39% is about what we saw a year ago. Some days we're as high as 80% ]held. Our False Positives are usually under 4% of held. We manually ]inspect. ] ]Our stats for last 7 days (incoming only) ](both messages and spam have been down since 12/24 - ]I guess everyone has taken a bit of a vacation) ] ]DateFpFp% Held Total Held% ]== == = = == ]12/28/2002 5 0.94% 534841 63.50% ]12/29/2002 6 1.39% 432755 57.22% ]12/30/2002 13 2.23% 583 1,474 39.55% ]12/31/2002 10 1.74% 575 1,393 41.28% ]01/01/2003 7 1.59% 441796 55.40% ]01/02/2003 25 4.10% 610 1,546 39.46% ]01/03/2003 16 3.02% 530 1,492 35.52% ] ] ]Terry Fritts ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] any ideas?
You might try .nifty-fun-pages.com _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of paul | Sent: Tuesday, December 24, 2002 10:01 AM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] any ideas? | | | Hey gang, | First, Merry Christmas, or Happy Holidays, take your pick. | | First: | One thing that really ticks me off is entries like this: | @mail46.nifty-fun-pages.com | @mail212.nifty-fun-pages.com | @mail125.nifty-fun-pages.com | | Now I could list each of these in my kill file, but if | they use mail1 - mail1999 that list would get pretty long. | I have .nifty-fun-pages.com in my FROMLIST file, but I | don't weight any ONE test to delete, and each of these uses a | different IP address. | | So the question: | What's the best approach to kill this crap? My idea was | to create a Declude filter that IS set to delete if it fails, | and put .nifty-fun-pages.com in it. That would work, but does | anyone else do anything differently? | | Paul | | | --- | [This E-mail scanned for viruses by Declude Virus] | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wild card filters?
The Message Sniffer rule base already has a number of patterns like these (I recognize kara) based on common address patterns that are being used in spam - these seem to be very effictive and are not likely to cause false posiive (none reported so far). We've also begun adding patterns to near-random domains used by many heavy spam houses. Between that and the ability to customize the rules for each system we should be able to help a lot. You should give the free demo a try and see how much it helps. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Monday, December 23, 2002 1:45 PM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Wild card filters? | | | | Our domain got hit over several days with different e-mails from | addresses | like | mailto:[EMAIL PROTECTED]kara_311_smith61cj8 [EMAIL PROTECTED], or some variant like mailto:[EMAIL PROTECTED][EMAIL PROTECTED] these addresses are from the Xdeclude sender field in the headers. Is there a way (or will there be) a way to add an address like this to a black list in the format mailto:kara*@hotmail.comkara*@hotmail.com so all variants of this will be caught? I understand that a legitimate user may have a hotmail address that begins with kara, but I'm willing to chance that. I can't think of any other way to stop these - the body of the e-mail didn't have anything I could really filter on. No, there isn't any way to do that, as it would require special processing (rather than exact string matches). There have been a number of requests for enhanced filters (such as the ability to use wildcards or regexp), so it is possible that a future release would allow for that. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hex Code URL's...
We've done some research on this and experimented with some rules. More rule templates are coming, but as it turns out - filtering this is harder than you might expect - depending upon your system's requirements. Many supposedly legitimate mail/news systems encode large segments of URLs or even entire urls after some processing root in order to track user activity. Many of our first attempts to filter based on this kind of encoding have since been rejected due to false positive requests. One such rule even blocked messages from the IMail list due to an encoded %40 in the tag line. One trick that seems to reduce the false positive rate is to define the root of the URL carefully and to ensure that the pattern match is at the root of the URL... so, for example, look for the href= or href= at the top of the url to avoid the kind of legitimate encoding that might come later. Hope this helps, _M PS: We do have a number of rules coding for patters like this and they are very successful - not as successful as we thought they would be, but still pretty good! Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Smith | Sent: Thursday, December 19, 2002 12:32 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Hex Code URL's... | | | This is a trick to make the user think that they're going to | a link on yahoo. Actually this is redirecting them to IP address: | | 0xD5.0xEF.0x8F.0x9A | | or 213.239.143.154 and then encode the path. | | I can't see any reason to do this. | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan | Sent: Thursday, December 19, 2002 12:29 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Hex Code URL's... | | | Hi; | I am seeing more and more URL's that are encoded, like: | http:[EMAIL PROTECTED]/%72%65%64%6C%69%67%68%74%65%6D% 61%69%6C%2F%69%6D%61%67%65%73%2F%30% I am yet to see anyone with a legitimate eMail use such an approach for sending their links. Is there a legitimate reason to do this? It seems like this could be an easy test to have in JM for the body. It is almost like a 100% guarantee that if used this is a spam.. Regards, Kami --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hex Code URL's...
I might add to this thread that it is fairly common to see Yahoo Redirects in spam content these days. There are many forms... We also see redirects through excite, msn, and some unsuspecting corporate sites - usually referenced by IP. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of John | Tolmachoff | Sent: Thursday, December 19, 2002 12:57 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Hex Code URL's... | | | This is a trick to make the user think that they're going | to a link on | yahoo. Actually this is redirecting them to IP address: | | 0xD5.0xEF.0x8F.0x9A | | or 213.239.143.154 and then encode the path. | | Or even worse, it could be coded to access other parts of | your computer, such as Code Red virus. | | John Tolmachoff MCSE, CSSA | IT Manager, Network Engineer | RelianceSoft, Inc. | Fullerton, CA 92835 | www.reliancesoft.com | | | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hex Code URL's...
Another good way to differentiate the encoded characters is to trap on encoding characters that _should_ be normal ascii letters or numbers. In theory, the only characters that should be encoded would be outside this range so it's a good bet that encoding normal characters is an obfuscation attempt. This will definitely need to be a weighted test though. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Thursday, December 19, 2002 1:32 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Hex Code URL's... | | | | The problem is searching for http://%@% where % is the wildcard. I | don't think this is possible with the current filters. | | No, that wouldn't be possible with the current filters | (although the IMail | filters might handle it). | | We will likely add two tests; one that looks for encoded | characters within | the domain of a URL (IE it would catch | http://www.declud%65.com; but not | http://www.declude.com/sp%61m;), and another that looks for an @ within the URL. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering E-Greetings
Sniffer version 2 is out now. Scumware rules have a special symbol 62. You could look for that specific result code and treat it specially. Currently all other spam rules are coded to the generic group with a symbol of 63. That should make it simpler. Hope this helps, _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Sheldon Koehler | Sent: Wednesday, December 04, 2002 5:51 PM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Filtering E-Greetings | | | Since we have to use Sniffer as a weighted test and these are | only failing the Sniffer test, how can I safely block these greetings? | | We have too high of a volume to hold email as it would take a | full time staff person to just search the rejects, so we are | forced to delete. | | | Sheldon | | | Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com | Ten Forward Communications 360-457-9023 | Nationwide access, neighborhood support! | | Whenever you find yourself on the side of the majority, it's | time to pause and reflect. Mark Twain | | | | - Original Message - | From: Madscientist [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Sent: Tuesday, December 03, 2002 2:25 PM | Subject: RE: [Declude.JunkMail] Filtering E-Greetings | | | Junkmail with Message Sniffer will also handle it. | | All of these and more are included in the Message Sniffer Scumware | Greetings rule group (Symbol 62). We are still looking for | a reliable | source for additional domains as they arise. | | This was an experimental group but we have had no false positive | reports on these rules so it looks like it will stay in place. | | _M | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering E-Greetings
Scott should back me up or correct me on this. I think that you can configure multiple test lines using Message Sniffer where each line looks for a specific return value instead of nonzero. Something like the following... SNIFFERSPAM external 63 SNIFFERSCUM external 62 Note the 63 and 62 take the place of nonzero... I think there is also an optimization in there that ensures Message Sniffer is called only once if the same command line is used and that the result code from the single call will be evaluated against the external test lines... I think that's right... It's been a while since I visited with Scott on this. Hope this helps, _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED]]On Behalf Of Mike Nice ]Sent: Wednesday, December 04, 2002 7:49 PM ]To: [EMAIL PROTECTED] ]Subject: Re: [Declude.JunkMail] Filtering E-Greetings ] ] ]How can we catch symbol 62 differently? V2 is configured as 'nonzero', ]meaning that all return codes other than zero are logged and treated alike ]by Declude. ] ]- Original Message - ]From: Madscientist [EMAIL PROTECTED] ]Subject: RE: [Declude.JunkMail] Filtering E-Greetings ] ] ] Sniffer version 2 is out now. Scumware rules have a special symbol 62. ] You could look for that specific result code and treat it specially. ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering E-Greetings
Junkmail with Message Sniffer will also handle it. All of these and more are included in the Message Sniffer Scumware Greetings rule group (Symbol 62). We are still looking for a reliable source for additional domains as they arise. This was an experimental group but we have had no false positive reports on these rules so it looks like it will stay in place. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Star | Sent: Tuesday, December 03, 2002 5:10 PM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Filtering E-Greetings | | | You need junkmail pro to filter E-Greetings. If you have a | firewall with http proxy, then block | | www.friendgreetings.com | www.friendgreetings.net | www.cool-downloads.net | www.cool-downloads.com | www.friend-greetings.com | www.friend-greetings.net | www.friend-cards.net | www.friend-greeting.com | www.friend-greeting.net | www.friend-card.com | www.friend-card.net | www.friend-cards.com | | Also, desktop av (most) detects E-Greetings as a virus. | | -- Dan | | | Cris Porter wrote: | | Get JunkMail, then add Sniffer and let them | do the filtering for you. My time spent filtering | has dropped off dramatically since installing it. | | Cris Porter | JVC America | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]]On Behalf Of David | Delbridge | Sent: Tuesday, December 03, 2002 12:01 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Filtering E-Greetings | | Hi all, | | What's the best approach for filtering the e-greetings scumware? I | run both Declude Virus and JunkMail, and from what I've read in the | forum archives, JunkMail is the tool to use. | | The options discussed so far don't appear to be conclusive. | Filtering | by phrase in the body will catch legit mail. Filtering by | e-greeting | domains will require frequent updates, and there is no | authoritative | source for such a list. | | What to do? | | Any advice is greatly appreciated. | | Dave | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Free or Freedom
Suggestion: Is it possible to provide a special wildcard character that matches whitespace and punctuation? _M On Fri, 2002-11-29 at 08:23, R. Scott Perry wrote: Can we filter on the word FREE and not hit FREEDOM, or filter SEX and not SEXTET. The question is *what* do you want to filter on? If you just want to filter on FREE , you won't catch This is FREE!, for example. I know this has been talked about before but I can't recall if any changes are made? Not yet. We are planning on changing it so you can include whitespace in filters, but note that you would still have to decide what to add ( FREE , FREE,, FREE!, ...). That's just one of the inherent difficulties with filters. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Greeting Card EULA Abusers
Message Sniffer now has a new experimental rule group Scumware Greetings that contains all of the domains mentioned in the following message. The new rulesets for this have been published. Version 2 users will see symbol 62 for this group. If anybody has a reliable source for the growing list we'd love to know about it. Thanks! _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Tom | Sent: Monday, November 25, 2002 4:40 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Greeting Card EULA Abusers | | | | In More Scumware-By-EULA ( | http://www.langa.com/newsletters/2002/2002-11-21.htm#2 ) we | discussed how Friendgreetings abuses its | End-User-License-Agreement by embedding deep within it a | clause that says, in effect, that you're allowing them to | place scumware on your PC. Alas, they're not the only one | doing this, and other, similar vendors keep shifting their | domain name to try to stay one step ahead of anti-scumware tools: | | Below is a list of who is sending that Emailer Hack they | legally trick people into. To get around the Anti Spam tools | they use new names. I don't see how they can afford to do this. | Each of the names are real and do have that so called non- | virus ready for a sucker [to download]. The list grows every | day...---Jim Cooke | | [Note: to make these links unclickable, Jim has replaced the | punctuation with the word DOT.} | | surprise-card DOT net | surprise-cards DOT net | surprise-greeting DOT net | surprise-greetings DOT net | surprisecard DOT net | surprisecards DOT net | surprisegreeting DOT net | surprisegreetings DOT net | cool-download DOT com | cool-download DOT net | cool-downloads DOT com | cool-downloads DOT net | friend-card DOT com | friend-card DOT net | friend-cards DOT com | friend-cards DOT net | friend-greeting DOT com | friend-greeting DOT net | friend-greetings DOT com | friend-greetings DOT net | friendcard DOT com | friendcard DOT net | friendcards DOT com | friendcards DOT net | friendgreeting DOT com | friendgreeting DOT net | friendgreetings DOT com | friendgreetings DOT net | surprise-card DOT net | surprise-cards DOT net | surprise-greeting DOT net | surprise-greetings DOT net | surprisecard DOT net | surprisecards DOT net | surprisegreeting DOT net | surprisegreetings DOT net | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter bypassed
A word of caution from our research. Some legitimate messages do encode other URLs as parameters. As a result this kind of filter requires the following constraints (still not perfect but close): Be sure your rule fires on the ROOT of the URL so that you are not capturing parameters that have been encoded. For example, href=http://%67 etc... but not just http://%67... as in href=http://legitimate.web.host/somefn.jsp?xyz=http://%67%4D... Look for encoding of normal print characters such as letters and numbers as these are not normally encoded in legitimate URLs. (_usually_ is important here as some automated link generation systems we've seen do code everything either as a half-hearted attempt at security or just because it's easier to hit every nail with the hammer.) If you combine these two constraints then the rule can be very effective. Hope this helps, _M Pete McNeil (Madscientist) Chief SortMonster (www.sortmonster.com) VOX: 703-406-2016 FAX: 703-406-2017 | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Mike K | Sent: Wednesday, November 20, 2002 9:06 AM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Wordfilter bypassed | | | A spam I received yesterday had these comments in it also. | | However one thing I noticed was that the spam had a url that | started off with the standard http then was followed by | PercentHexHexPercentHexHexPercentHexHexPercentHexHexPercentHex | Hex and so on. | | This should be very easy to filter on as no legit mailer | should be hiding urls like that. | | Mike | | | | | | | - Original Message - | From: Madscientist [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Sent: Tuesday, November 19, 2002 8:47 PM | Subject: RE: [Declude.JunkMail] Wordfilter bypassed | | | | | | However, that's the way spam control is heading. As more | and more | | people get fed up with spam, more and more of the bozos that are | | doing things the | | wrong way will need to fix their problems. | | | | I can understand an HTML E-mail having one or two comments in it, | | but 10 or 20 is just a waste of bandwidth. That is | information the | | recipient will | | never see. | | | | -Scott | | Where we got into trouble was with big corporate iron... (IBM, Sun, | Microsoft, etc...) The comments in those messages were part of the | code base generating the messages and I can imagine (as a web | developer also) that they are pretty vital to the | developers in their | ongoing maintenance efforts. It's not uncommon to see quite | a few of | them. As we increased the threshold to accommodate the legitimate | messages we were capturing we soon reached a level where legitimate | and non-legitimate were practically indistinguishable. All | I'm saying | here is that since HTML email is here to stay, and HTML | comments are | legitimate and sometimes required for coding standards, a | simple count | of HTML comments will not be a valid spam test in most | cases. This has | been our experience - your mileage may/will vary. | | _M | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter bypassed
We attempted implementing a test that counts the number of html comments and found that it was impractical as it consistently captured a large number of legitimate services. (Scott, you indicated that it might catch some - our experience has been that it captures so many we had to drop it.) I suspect that most systems will need to weight such a test very lightly. Hope this helps. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Tuesday, November 19, 2002 8:23 AM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Wordfilter bypassed | | | | The sneaky buggers are at it again. I've been getting more and more | emails | that don't fail any tests at all, but should be caught as | spam due to | multiple wordfilter hits. I had a look at the message (HTML) | source, and | found this: | | Hum!--nnbvmx--an Gr!--d--owth Hor!--fjkg--mone | Th!--sdkf--erapy | | Scott, is it possible that the wordfilter, when looking at | HTML source | messages, can be made to disregard HTML comments, as above? | | That likely isn't something that we will be doing, as it will | add a lot of | extra CPU time (or require writing our own specially designed string | matching functions). However, we are thinking of adding a | test that will | get triggered if a certain number of comments are found in an | E-mail. Although this would catch the occasionally bandwidth-wasting | legitimate bulk mailers (that have real comments), it would | also be very | useful in detecting spam. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter bypassed
| | However, that's the way spam control is heading. As more and | more people | get fed up with spam, more and more of the bozos that are | doing things the | wrong way will need to fix their problems. | | I can understand an HTML E-mail having one or two comments in | it, but 10 or | 20 is just a waste of bandwidth. That is information the | recipient will | never see. | | -Scott Where we got into trouble was with big corporate iron... (IBM, Sun, Microsoft, etc...) The comments in those messages were part of the code base generating the messages and I can imagine (as a web developer also) that they are pretty vital to the developers in their ongoing maintenance efforts. It's not uncommon to see quite a few of them. As we increased the threshold to accommodate the legitimate messages we were capturing we soon reached a level where legitimate and non-legitimate were practically indistinguishable. All I'm saying here is that since HTML email is here to stay, and HTML comments are legitimate and sometimes required for coding standards, a simple count of HTML comments will not be a valid spam test in most cases. This has been our experience - your mileage may/will vary. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter bypassed
That's a good point. Perhaps we'll do some testing in the new version for comments bounded by nonwhitespace. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Tuesday, November 19, 2002 10:21 AM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Wordfilter bypassed | | | | Lots of the content management systems are heavily | commented so I | see a lot of comments in html messages to subscribers. | | However, they are not commented between words but that's a | difficult parse I think. | | Aha... that could be the key! | | A spammer will use something like or!-- blah --der. If | they use or | !-- blah -- der, it will appear on the screen as or der, | which will | confuse people (Call to or der now! isn't very readable). | Whereas the | content management systems likely have the comment on the | beginning of a | new line, or at least have a space before/after it. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Two JunkMail questions please...
Our test server does not show any significant difference between Declude alone and Declude w/ Message Sniffer. Performance logs report average processing times of about 170ms per message - and this includes the time it takes to load the rule base and the message under test. Our test bed server sees about 450ms on average - but most of that is IO rather than CPU and our test server is intentionally underpowered. Our production Linux gateway running Message Sniffer processes messages in less than 40ms per message consistently. Hope this helps, _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:Declude.JunkMail-owner;declude.com] On Behalf Of | David Lewis-Waller | Sent: Monday, November 04, 2002 12:15 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Two JunkMail questions please... | | | Has anyone found MessageSniffer to add any significant CPU | load before/after implementation? | | David | WiSS Limited | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:Declude.JunkMail-owner;declude.com] On Behalf Of Uhte, Russ | Sent: 04 November 2002 17:06 | To: '[EMAIL PROTECTED]' | Subject: RE: [Declude.JunkMail] Two JunkMail questions please... | | | Joe, | I can't comment for anyone else, but I'd like to give my $.02 | on question 1. We've recently purchased MessageSniffer, and | its results have been outstanding. We use a weight of 20 as | our breaking point on when a message can no longer be | delivered. I've set MessageSniffer with a weight of 17. | We've almost completely eliminated spam!!! -Russ | | -Original Message- | From: Joe Wolf / CompuService [mailto:joe;csgo.com] | Sent: Monday, November 04, 2002 11:54 AM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Two JunkMail questions please... | | | First I'm still a newbie to JunkMail so forgive my ignorance. | Two issues to | cover: | | #1I am basicly using the default settings for JunkMail. | I have had | a | few valid messages marked as spam, but I still get quite a | bit of spam thru that I wish to get rid of. Does anyone have | a template, or suggestion on what settings work the best for | JunkMail? I know that I can customize anything I want, but | at the same time I don't want to make it my life to | investigate which database is best, etc. Any help would be | appreciated. | | #2My mail server does quite a bit of list serving. I've noticed | that | since I installed JunkMail my server is running further and | further behind. I've gone from nearly immediate delivery of | messages to nearly an hour behind. Is the Declude | replacement to the Ipswitch mail handler that much more | inefficient, or does JunkMail just take alot more processing? | My CPU utilization chart is not too high, but it take so | long to process messages. | | Thanks, | Joe | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- CONFIDENTIALITY NOTICE: This email and any attachments are for the exclusive and confidential use of the intended recipient. If you are not the intended recipient, please do not read, distribute or take action in reliance upon this message. If you have received this in error, please notify us immediately by return email and promptly delete this message and its attachments from your computer system. --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Unwanted E-cards filling email inboxes
IMFilter can help with that and it's free. _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:Declude.JunkMail-owner;declude.com]On Behalf Of John Tolmachoff ]Sent: Sunday, October 27, 2002 10:13 PM ]To: [EMAIL PROTECTED] ]Subject: RE: [Declude.JunkMail] Unwanted E-cards filling email inboxes ] ] ]Just use a regular rule in your rules.ima file. ] ]But then I have to copy that to all users, correct? ] ]John Tolmachoff ]IT Manager, Network Engineer ]RelianceSoft, Inc. ]La Habra, CA 90631 ]www.reliancesoft.com ] ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Catching SPAM when the sender = recipient
The test could match any email where from and to are the same but delivery is not local. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:Declude.JunkMail-owner;declude.com] On Behalf Of Todd Holt | Sent: Friday, October 25, 2002 10:47 AM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Catching SPAM when the sender = recipient | | | I have noticed that many spammers in recent months have begun | to use the recipients email as the senders email. | | Can this be trapped by the current tests or should I request | a new test to cover this? | | The only legitimate mail that would pass this test would be | users sending mail to themselves and for us it would be worth | losing the capability which I don't think is used much. | | Todd | | --- | [This E-mail scanned for viruses by Declude Virus] | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Help
An Asside - Watch out for false positives with this one. We tried a rule that captured all numeric-only web links as they are a favorite for porn spammers and mortgage folks. Unfortunately we discovered that a number of legitimate news services also do this sometimes so we were forced to begin entering specific numbered web links. Hope this helps. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Karen Oland | Sent: Wednesday, October 16, 2002 2:24 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Filter Help | | | Is there any way to check for references to web sites that | only have domain names? | | I included the rules below, but they never seem to trigger: | | BODY 10 CONTAINS http://1 | BODY 10 CONTAINS http://2 | BODY 10 CONTAINS http://3 | BODY 10 CONTAINS http://4 | BODY 10 CONTAINS http://5 | BODY 10 CONTAINS http://6 | BODY 10 CONTAINS http://7 | BODY 10 CONTAINS http://8 | BODY 10 CONTAINS http://9 | BODY 10 CONTAINS http://0 | | I don't want to block using IMAIL, as we have a vendor that | sends us email that has a web site with a real name that | starts with a 101. However, we do want to have enough | weight to this type of a rule, that any other violation will | result in the message being sorted into our spam box. | | Karen Oland | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re: [Declude.JunkMail] Spam Mail Statistics
That's a bad sign. None of those ports should be open to the outside world - you risk having your entire network hijacked. It's good practice to block all ports that are not required for services you are offering specifically. But especially block: 135, 137, 138, 139. Hope this helps, _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Frederick Samarelli | Sent: Monday, October 14, 2002 2:41 PM | To: [EMAIL PROTECTED] | Subject: Re: Re: [Declude.JunkMail] Spam Mail Statistics | | | I found by blocking port 135 stops the Messenger Pop-ups. | | | - Original Message - | From: Dan Horne [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Sent: Monday, October 14, 2002 1:38 PM | Subject: RE: Re: [Declude.JunkMail] Spam Mail Statistics | | | I got this from one of the Lockergnome newsletters that came out | recently. | | Dan | | | -- | - | Pop-up Spammers | | I've often wondered how long it would take for the abuse of | Microsoft's Messenger services to begin. This is a network service | that listens for messages, which are displayed on screen when | received. You can use this service to send text messages to other | users on the network (net send command from a DOS | prompt), provided | they have the services running. As you might expect, this | is enabled | by default in Windows NT/2K/XP, and for little reason. I | know of very | few people that actually use it, particularly home users. | Those of you | that are on broadband connections and are not running a | firewall may | have seen a strange little window pop up at you hawking diplomas, | inviting you to visit an explicit website or whatever else our | favorite bunch of Internet low-life can dredge up. | | I have always been very supportive of a minimalist | configuration. Turn | it off by default, then let the user decide if they want it | turned on. | As things are, we have all sorts of virtually useless | capability built | into Windows and other Microsoft software, and fully enabled by | default. Maybe there's a case to be made for the functionality, but | there is not a case to be made for subjecting the masses to | such abuse | when the feature won't be used by the vast majority of | users and it's | quite easy to scan the open ports on a workstation to see if the | service is available for abuse. With Windows 2000 and XP | seeing much | wider adoption, and port 139 open by default, it was only a | matter of | time before it was taken advantage of to pester unsuspecting users. | | You can disable the Messenger in Windows 2000/XP by right- | clicking My | Computer, selecting Manage from the context menu. Expand | Services and | Applications and click Services, which will populate the | right window | pane with the long list of services installed. scroll down to | Messenger and double-click the item. In the Startup Type | dropdown box, | select Disabled, then click the Stop button in the Service Status | section of the window. From now on, your PC will not be | subjected to | these pop-up messages. | | --- | [This E-mail scanned for viruses by Declude Virus] | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Effectiveness
We're getting further off-topic for the Declude list I think. Apologies again. | The personal messages are the most difficult and becoming | worse. They are random and infrequent. They are often among | the most important messages. Individuals have an | unbelievable number of private e-mail accounts that they | seemingly use with little organized thought. And some of the | messages are SPAM except for the fact that the user intends | to send them and the recipient wants them. A very, very | difficult problem. Thanks for all that... I think you're right on all counts. This last one is a real bugger - however we have some dynamic systems coming that should help this somewhat. I believe Scott is thinking of putting some similar things in place for Declude, or at least that they are on the wish-list. Two methodologies - (1) Legitimate messages contain some pass code that can be white-coded by Message Sniffer, thus allowing them past no matter where they are sent from. This could be some standard part of the other parties signature (their name, or phone number for example), or something special that you gave them. (If you're a Ham Radio fan, this is like a PL tone for email.) (2) The system may presume that if you have sent a message to a particular address that this address is allowed to send messages to you - with some intervening metrics to avoid abuse - such as recording also the source and destination networks. This one is probably ok unless the message comes from a completely random source. In any case, businesses using spam filtering should have a method for handling unwanted lockouts such as maintaining an unfiltered contact address that has very limited filtering so that customers/contacts always have an address they can go to... or a contact form that allows the contact to send their first query to the company and registers the sender's email address with the filtering system so that they can be sure to always get through. If these are links on the company web site, they can be randomized aliases that are generated daily and then thrown away. The alias would point to an underlying account that is never publicly posted. Anyone clicking on the Contact Us link will get through with the address of the day... any spammer harvesting that address has polluted their database with a bad address that, after a while, can be used to detect spammers (no legitimate contact would use the address after some reasonable period of time). Another mechanism like this would be an address on the system where internal users can BCC or forward a message to/from a new contact such that the system collects their addresses and gates their email from then on - allowing them into the circle of trust. Mechanisms like this can be easily implemented with only minor procedural changes and can have a profound impact on spam reduction by allowing for very strict (or even closed) filtering. For example, in a sales organization it is likely that notification of a new customer or lead would be forwarded to some sales manager. If that manager's address were an alias the copied the message to the gating address on the system then white listing the new lead would be transparent and automatic in nearly all cases. We plan to offer features with our online database to automate some of these mechanisms. Many could be implemented now with Declude and a little bit of programming work to manage white black lists... within limits, of course. _M PS: Note that the model for (1) is also applicable to a customized NO-SPAM system which uses computer generated headers (convolution codes) to authenticate senders and receivers. Sniffer would then gate messages with legitimate pass-codes while diverting all other traffic. Clients and MTAs that have been allowed into the circle of trust for a particular organization would produce recognizable one-time codes in their message headers so that other participating systems in the circle would not filter them out. Systems outside this circle would take their chances with the filters or simply not be allowed to send their messages. Convolution codes are used once and thrown away so that nobody can catch one and use it to gate their spam or other malware into the system. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] FYI - APPENDING is newest spam fad
| Declude probably doesn't need to do anything special - spam | is still spam, but this really bothers me that spam | technologies like this are starting to become mainstream -- | Maybe we really do need laws regulating spam as a law would | quickly stop all these for-profit, but easily identifiable | companies from doing this. I'm cautious about laws... if you make it illegal then it will go underground and become more difficult to defend. For example, here's a nasty trend I hate... Norton Antivirus and Norton Systemworks being sold by what seems like every spam house in the world... It's a deluge... If you talk to Symantec they have nothing to do with it... of course... And how can they prevent unauthorized third/forth parties from reselling product they purchase or steal from the pipeline? The dark side of me thinks... why would they want to since it all drives revenue to Symantec in the long run? My point is, legal or not - legitimate or not - if there's a way to do this in the name of marketing they will figure out how. There are laws against cold-calling my phone at home, but it happens every day - glad I have caller ID so I can do some filtering. I think we're going to have to beat this one with technology - and I pray we can get that done before the lawyers come and cause real trouble. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Effectiveness
traps are something I have yet to create, whats the best way ]to implement them? Specifically, do you distribute them across ]domains or does it matter and what are the best ways to infect ]them? Do you use customer domains and if so, what happens if/when ]they leave your ISP/protection? Implementing good spamtraps is a difficult, time consuming process that requires both skill and secrecy. If done badly you will recieve messages that are not unsolicited and you may have spammers abuse your spamtraps and mail systems to prevent you using them ... all sorts of ugly things can happen. For obvious reasons I cannot disclose how we develop our spam traps nor where they may be. A few general things I can tell you in response to your questions. A good spamtrap must look to the world like any real user who never subscribed to any lists. It is good to have spamtraps distributed across a wide range of domains - preferably on networks that are not your own. As for how to infect them... Think about this: You no doubt have an email address that recieves a significant amount of spam. What is it that you have done with this account short of subscribing to lists and services? A couple of ways that email addresses get picked up that are public domain: * Posts in news groups and otherwise publicly avaialble message boards. * Email addresses listed as contact info on web sites. Another that is obvious but not widely discussed is that you can place your spam trap in the path of a dictionary attack... It's a lot like fishing... you have to be quite and in the right place. Hope this helps, _M ] ]Thanks ]Dan ] ] ] ]On Saturday, October 5, 2002 19:18, Madscientist ][EMAIL PROTECTED] wrote: ]Perhaps you misunderstood. ]More than 70% of ALL traffic is captured on average for reporting systems. ]The base includes non-spam as well. In terms of a percentage of spam, ]Declude has published statistics consistently showing 85% or more of all ]incoming spam. On our system it is closer to 92% counting what comes from ]all spam traps. ] ]Hope this clears things up. ]_M ] ]]-Original Message- ]]From: [EMAIL PROTECTED] ]][mailto:[EMAIL PROTECTED]]On Behalf Of Dan Patnode ]]Sent: Saturday, October 05, 2002 9:30 PM ]]To: [EMAIL PROTECTED] ]]Subject: [Declude.JunkMail] Effectiveness ]] ]] ]]70%? I believe the spam filter that comes free with Mac OS 10.2 ]]does that well by itself, though I haven't tested it for FPs yet. ]]Has anyone else tried it? ]] ]]Dan ]] ]] ]]On Friday, October 4, 2002 14:02, Madscientist ]][EMAIL PROTECTED] wrote: ]]We have similar circumstances in the email systems that we host. We ]]currently trap more than 80% of incoming messages as spam with our ]]Message Sniffer software. The average for all reporting systems is ]]something just over 70%. ]] ]]I think Declude w/ Message Sniffer is the way to go if you have an Imail ]]server. Of course I am biased - but there are others here who might back ]]me up. The demo is free if you want to try it ]](http://www.sortmonster.com). ]] ]]Biased $0.02 ]] ]]_M ]] ]]| -Original Message- ]]| From: [EMAIL PROTECTED] ]]| [mailto:[EMAIL PROTECTED]] On Behalf Of Keith Purtell ]]| Sent: Friday, October 04, 2002 3:27 PM ]]| To: Declude JunkMail (E-mail) ]]| Subject: [Declude.JunkMail] Newbie question about baseline ]] ]]snip ]] ]]| However, when I check the server each morning, the spambox ]]| has at least 250 new messages, and one Monday I found 1,000. ]]| Bear in mind we only have approx 200 employees nationwide and ]]| serve a niche market. I've tried to be aggressive about ]]| automatically deleting certain incoming mail, especially ]]| using rules.ima. Hence the term baseline in my subject. Do ]]| more experienced postmasters find this much junk on their ]]| server and just delete it manually, or do they make better ]]| use of the software to automatically delete spam? ]] ]]--- ]][This E-mail was scanned for viruses by Declude Virus ]](http://www.declude.com)] ]] ]]--- ]]This E-mail came from the Declude.JunkMail mailing list. To ]]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]]type unsubscribe Declude.JunkMail. The archives can be found ]]at http://www.mail-archive.com. ]] ]] ]]--- ]][This E-mail was scanned for viruses by Declude Virus ](http://www.declude.com)] ] ]--- ]This E-mail came from the Declude.JunkMail mailing list. To ]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]type unsubscribe Declude.JunkMail. The archives can be found ]at http://www.mail-archive.com. ] ]--- ][This E-mail was scanned for viruses by Declude Virus ](http://www.declude.com)] ] ]--- ]This E-mail came from the Declude.JunkMail mailing list. To ]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]type unsubscribe Declude.JunkMail. The archives can be found ]at http://www.mail-archive.com. ] ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list
RE: [Declude.JunkMail] Effectiveness
Perhaps you misunderstood. More than 70% of ALL traffic is captured on average for reporting systems. The base includes non-spam as well. In terms of a percentage of spam, Declude has published statistics consistently showing 85% or more of all incoming spam. On our system it is closer to 92% counting what comes from all spam traps. Hope this clears things up. _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED]]On Behalf Of Dan Patnode ]Sent: Saturday, October 05, 2002 9:30 PM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] Effectiveness ] ] ]70%? I believe the spam filter that comes free with Mac OS 10.2 ]does that well by itself, though I haven't tested it for FPs yet. ]Has anyone else tried it? ] ]Dan ] ] ]On Friday, October 4, 2002 14:02, Madscientist ][EMAIL PROTECTED] wrote: ]We have similar circumstances in the email systems that we host. We ]currently trap more than 80% of incoming messages as spam with our ]Message Sniffer software. The average for all reporting systems is ]something just over 70%. ] ]I think Declude w/ Message Sniffer is the way to go if you have an Imail ]server. Of course I am biased - but there are others here who might back ]me up. The demo is free if you want to try it ](http://www.sortmonster.com). ] ]Biased $0.02 ] ]_M ] ]| -Original Message- ]| From: [EMAIL PROTECTED] ]| [mailto:[EMAIL PROTECTED]] On Behalf Of Keith Purtell ]| Sent: Friday, October 04, 2002 3:27 PM ]| To: Declude JunkMail (E-mail) ]| Subject: [Declude.JunkMail] Newbie question about baseline ] ]snip ] ]| However, when I check the server each morning, the spambox ]| has at least 250 new messages, and one Monday I found 1,000. ]| Bear in mind we only have approx 200 employees nationwide and ]| serve a niche market. I've tried to be aggressive about ]| automatically deleting certain incoming mail, especially ]| using rules.ima. Hence the term baseline in my subject. Do ]| more experienced postmasters find this much junk on their ]| server and just delete it manually, or do they make better ]| use of the software to automatically delete spam? ] ]--- ][This E-mail was scanned for viruses by Declude Virus ](http://www.declude.com)] ] ]--- ]This E-mail came from the Declude.JunkMail mailing list. To ]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]type unsubscribe Declude.JunkMail. The archives can be found ]at http://www.mail-archive.com. ] ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Newbie question about baseline
We have similar circumstances in the email systems that we host. We currently trap more than 80% of incoming messages as spam with our Message Sniffer software. The average for all reporting systems is something just over 70%. I think Declude w/ Message Sniffer is the way to go if you have an Imail server. Of course I am biased - but there are others here who might back me up. The demo is free if you want to try it (http://www.sortmonster.com). Biased $0.02 _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Keith Purtell | Sent: Friday, October 04, 2002 3:27 PM | To: Declude JunkMail (E-mail) | Subject: [Declude.JunkMail] Newbie question about baseline snip | However, when I check the server each morning, the spambox | has at least 250 new messages, and one Monday I found 1,000. | Bear in mind we only have approx 200 employees nationwide and | serve a niche market. I've tried to be aggressive about | automatically deleting certain incoming mail, especially | using rules.ima. Hence the term baseline in my subject. Do | more experienced postmasters find this much junk on their | server and just delete it manually, or do they make better | use of the software to automatically delete spam? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering question
Scott, Is it possible to enclose phrases in quotes for these filters? robert allen If not can this be a feature request? _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Thursday, October 03, 2002 10:33 AM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Filtering question | | | | If I want to add two words into a single filter rule how do | I do this? | | For example: | | BODY10 CONTAINSrobert allen | | I'm assuming that the space would confuse the rule. | | Actually, that will work (the only problem is that spaces | before/after the | filter text won't be used, but they will be used if they are | in the filter | text). | | Should I add: | | BODY10 CONTAINSrobert%20allen | | No -- the %20 format only works in HTML/HTTP. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMCOP:[SNIFFER Sniffer test failed]Declude.JunkMail and Message Sniffer
For now, you will want to whitelist these. The trouble is that many lists append advertising content to their messages. Sniffer tends to get triggered by the advertising content. Next month we plan to release a version that includes compound heuristics. At that time we will begin adding white-rule to the database to match well known legitimate lists. We expect this will reduce the problem. Hope this helps, _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED]]On Behalf Of Lenny Bauman ]Sent: Thursday, September 26, 2002 8:42 PM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] SPAMCOP:[SNIFFER Sniffer test ]failed]Declude.JunkMail and Message Sniffer ] ] ]Hello all ] ] I have Junkmail running and it has cut down on the spam somewhat I am ]still getting a lot of spam so I though I would give Message ]Sniffer a try I ]installed it about 24 hours ago and it has catauh a large amount of the ]message that I was getting as spam. The problem that I am seeing is that I ]am getting a lot of newsletter marked as failing the sniffer test. ]Newsletter from places like Columbia House, The WWE, ISP World. Am I ]missing something or do I have to whitelist these site so that my customer ]can continue to receive there newsletter that they subcribed to. ] Below is ]a small list of the site that have been reported to me as failing the ]sniffer test that the customer has requested to receive mail from. Any ]help you can give me will be greatly appreacted.I like the fact that ]sniffer is catuching what gets through Junkmail I just am not sure how to ]handle the False Positive messages.Thanks in advance for any help you ]can give me. ] ] ] ]Lenny Bauman ] ] ]From: [EMAIL PROTECTED] ]From: Strive.To Word [EMAIL PROTECTED] ]From: eWEEK News [EMAIL PROTECTED] ]From: ArcaMax [EMAIL PROTECTED] ]From: Just Say Wow [EMAIL PROTECTED] ]From: [EMAIL PROTECTED] ]From: [EMAIL PROTECTED] ]From: Webmonkey Frontdoor [EMAIL PROTECTED] ]From: ISPworld [EMAIL PROTECTED] ]From: [EMAIL PROTECTED] ]From: Wired News [EMAIL PROTECTED] ]From: [EMAIL PROTECTED] ]From: [EMAIL PROTECTED] ]From: [EMAIL PROTECTED] ]From: WWE Newsletter [EMAIL PROTECTED] ]From: Columbia House DVD Club [EMAIL PROTECTED] ]From: bizjournals.com Solutions ][EMAIL PROTECTED] ]From: ISPworld [EMAIL PROTECTED] ]From: TESSCO...Your Total Source [EMAIL PROTECTED] ]From: McAfee.com Services [EMAIL PROTECTED] ]From: [EMAIL PROTECTED] ] ] ]--- ][This E-mail scanned for viruses by LRBCG.COM, Inc.] ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter in BASE64?
Declude does not decode base64, rather it simply detects html base64 segments which are highly likely to be spam. _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED]]On Behalf Of Scott MacLean ]Sent: Wednesday, September 25, 2002 8:10 AM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] Wordfilter in BASE64? ] ] ]I just saw an email that *should* have been caught several times over with ]various BODY CONTAINS filters, but wasn't - instead, it caught BASE64. ]Does Declude decode the BASE64 body and then apply the wordfilter? Because ]it seems like it might not. ] ]___ ]Scott MacLean ][EMAIL PROTECTED] ]ICQ: 9184011 ]http://www.nerosoft.com ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter in BASE64?
Title: Message We've had a few, but we didn't keep them around. There are some folks on the list hunting for examples - I've got an eye out but I'm not trying hard. Statistically it is a very good test. The only trouble with not scanning inside base64 segments is thatit reduces your abilityto categorize the message... so, for example, if there's content there that users on your system want to see - but might otherwise be seen as spam - you will have to work harder to gate that content through. This is why Message Sniffer does open base64 segments to look for patterns. _M -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott MacLeanSent: Wednesday, September 25, 2002 9:31 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Wordfilter in BASE64?That's what I suspected. Has anyone seen HTML Base64 segments that *weren't* spam? Are there any email clients that actually put out such a thing?At 08:14 AM 9/25/2002, Madscientist wrote: Declude does not decode base64, rather it simply detects html base64segments which are highly likely to be spam._M]-Original Message-]From: [EMAIL PROTECTED]][mailto:[EMAIL PROTECTED]]On Behalf Of Scott MacLean]Sent: Wednesday, September 25, 2002 8:10 AM]To: [EMAIL PROTECTED]]Subject: [Declude.JunkMail] Wordfilter in BASE64?]]]I just saw an email that *should* have been caught several times over with]various "BODY CONTAINS" filters, but wasn't - instead, it caught BASE64.]Does Declude decode the BASE64 body and then apply the wordfilter? Because]it seems like it might not.]]___]Scott MacLean][EMAIL PROTECTED]]ICQ: 9184011]http://www.nerosoft.com]]---][This E-mail was scanned for viruses by Declude Virus(http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.___Scott MacLean[EMAIL PROTECTED]ICQ: 9184011http://www.nerosoft.com
RE: [Declude.JunkMail] Web Site ?
Yup - no joy for quite a bit now. _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Kratka ]Sent: Tuesday, September 24, 2002 5:49 PM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] Web Site ? ] ] ]Is anyone else having difficulties with the Declude Web Site? ] ]Jeff ] ]* ]TymeWyse Internet ]P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417 ]tel/fax: (541) 839-6027 - [EMAIL PROTECTED] ]* ] ] ]--- ][This E-mail was scanned for viruses by Declude Virus ](http://www.declude.com)] ] ]--- ]This E-mail came from the Declude.JunkMail mailing list. To ]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]type unsubscribe Declude.JunkMail. The archives can be found ]at http://www.mail-archive.com. ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Base 64 test
Anecdotally this makes a lot of sense. It was primarily porn spam that caused us to move our filterchain module development forward in the sniffer program. _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED]]On Behalf Of John Tolmachoff ]Sent: Monday, September 23, 2002 2:02 AM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] Base 64 test ] ] ]Since implementing the base 64 test, I am noticing that adult junkmail ]that is in HTML format is getting caught by this. ] ]As I am out of the office this week and working from home, when I have ]time I am going to investigate this further. ] ]Any one else noticing this? ] ]John Tolmachoff ]IT Manager, Network Engineer ]RelianceSoft, Inc. ]Fullerton, CA 92835 ]www.reliancesoft.com ] ] ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgrade to sniffer 1.1
This rule 10222 should match only a specific email address... however the scan index and ended are both z which is not possible. It is likley you have a corrupted .snf file. Hope this helps, _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Marv Gordon | Sent: Monday, September 23, 2002 1:31 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Upgrade to sniffer 1.1 | | | Sniffer logfile shows nothing but matches (example below). | Have not seen a clean entry since the upgrade today. | | | | | sniffer 20020923165941 D4876000800deda6b.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923170147 D48f8000900ded796.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923170245 D493a00deb0b2.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923170307 D494a000b00de183e.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923170309 D494c000c00de2165.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923170448 D49bd00dea5ce.SMD 70 | 0 Match | 10222 46 0 0 5 | sniffer 20020923170451 D49b2000900dcaeec.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923170456 D49b7000a00dcc004.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923170531 D49ca000b00dc0b20.SMD 70 | 0 Match | 10222 46 0 0 5 | sniffer 20020923170545 D49e7000c00dc7f12.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923170601 D49f7000d00dcbcd7.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923170640 D4a1e000e00dc53a5.SMD 70 | 0 Match | 10222 46 0 0 5 | sniffer 20020923170951 D4add001000dc401a.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923171653 D4c85000300e0b593.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923171700 D4c63000f00de334f.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923171702 D4c8d001000ded45c.SMD 110 | 0 Match | 10222 46 0 0 5 | sniffer 20020923171702 D4c8d000400e0d498.SMD 121 | 0 Match | 10222 46 0 0 5 | sniffer 20020923171737 D4caf000500e0597b.SMD 70 | 0 Match | 10222 46 0 0 5 | sniffer 20020923171843 D4c43001200dcb2f6.SMD 70 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172032 D4d5a001500dcf673.SMD 71 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172106 D4d82001600dc90e4.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172112 D4d88001700dca993.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172142 D4da6001800dc1dd6.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172216 D4dc7001900dc9ff2.SMD 70 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172226 D4dd2001a00dccbd6.SMD 70 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172243 D4de3001b00dc0d16.SMD 70 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172251 D4dea001c00dc29b9.SMD 61 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172313 D4e1d00dc7dca.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172329 D4e11001e00dcc072.SMD 70 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172335 D4e16001f00dcd538.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172515 D4e790003011a5901.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172517 D4e7b0004011a6106.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172545 D4e980005011ad1c3.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172626 D4ec1002300dc710e.SMD 60 | 0 Match | 10222 46 0 0 5 | sniffer 20020923172702 D4ee4002400dcfa3e.SMD 60 | 0 Match | 10222 46 0 0 5 | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail
Gosh I'd like to know how he made that account and got it spammed so quickly. That knowledge would be quite a tool. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Tom | Sent: Monday, September 16, 2002 5:21 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail | | | By OREN ETZIONI of the NY TIMES | --- | | A few days ago I created a new e-mail account, and within 24 | hours I had received over 25 unsolicited commercial e-mail | messages, otherwise known as spam. Even though I'm a --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS
It might be a good test to put into the weights. Another one would be a test that looks that the sender's (from their address) and fails if the first MX doesn't match up. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Tuesday, September 17, 2002 10:00 AM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] HELOBOGUS | | | | I spoke in haste, that all makes sense. I am having a tough | time with | spammers using the mailfrom or return address of the recipient and a | wetware problem on the customer end. Is there any way I can | stop this? | I know, it seems like a catch 22. | | Unfortunately, there isn't any easy way to stop the E-mail | that has the | same return address as the recipient's address -- the problem | is that quite | a few people Cc: themselves on all E-mail, as well as send | themselves test | messages. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Toms Kill List
The preceeding @ ensures that the match is an email with the example domain. The preceeding . ensures that the match is the domain used in a host link like www.example.com and so forth. Without these preceeding characters the following might also match incorrectly... legitimatexample.com Using the preceeding characters prevents this. HTH _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Sharyn Schmidt | Sent: Tuesday, September 17, 2002 10:24 AM | To: Declude Junkmail List | Subject: [Declude.JunkMail] Toms Kill List | | | Morning everyone, | | Because all is going so well, I decided I'd screw with things | a bit more | :) | | I have just downloaded Tom's Image FX kill list and I'm | looking through it. | | What I don't understand is, what is the difference between these 2 | entries: | | @example.com and .example.com | | (obviously the difference is the @ and the ., but what | exactly does this mean?) | | Thanks in advance, | Sharyn | | PS: Scott, love the addition of the whitelist line in the logs! | | | We are the worldwide producer and marketer of the award | winning Cruzan Single Barrel Rum, judged Best in the World | at the annual San Francisco Wine and Spirits Championships, | and the artisan tequilas of Porfidio 100% Agave Tequilas, | judged Best Tequila four years running by the Wine | Enthusiast magazine. For more information, please click (go | to) htmla href=http://www.cruzanrums.com;http:///aa | href=http://www.cruzanrums;www.cruzanrums.com/a/html | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail
I guess that makes sense. We've got a few accounts like that out there - we set them up, forward them into our system for evaluation, and never use them for anything else... but there's a definite 'color' to the content - meaning the spam we get there is skewed to a specifi strange attractor - all based on the marketing. I'm working on formulating a methodology for setting up spamtraps and tuning them for specific kinds of spam - without opening them to any legitimate email. It's harder than it looks, and takes a lot of time - there's just no rushing it... so far anyway. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Charles Frolick | Sent: Tuesday, September 17, 2002 11:01 AM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail | | | I always figured since my hotmail profile says I'm male and | over 21 that's why it gets about 160 spam mails (that don't | fail their spam filters) per week. Don't they do the same | thing Juno mail does and pay for the service by selling the | address to 'Advertising Partners'? My 17 year old sister in | law get no adult spam to her hotmail address at all, and 99% | of mine is, that says target marketing to me. I only have | the address as a remote test account, to validate mail | routing to my domain hosting customers, and rarely even then. | If it were not a free mail account then I would say it would | be a lot of work to get it listed, but I know there are only | two ways to pay for a service, you pay or the advertisers pay. | | Chuck Frolick | ArgoNet, Inc. | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry | Sent: Tuesday, September 17, 2002 8:38 AM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail | | | | Gosh I'd like to know how he made that account and got it spammed so | quickly. That knowledge would be quite a tool. | | By this: | | | A few days ago I created a new e-mail account, and within | 24 hours I | | had received over 25 unsolicited commercial e-mail messages, | | otherwise known as spam. | | He means A few days ago I created an account on Hotmail that | had once existed, but since I just created it, it's a new | E-mail account. | | Unless he was extremely active in trying to receive spam, I | can't think of any other way that it could have happened. | Or, he may have used his poetic license to count the number | of spams he received. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail
The problem with this is that once you subscribe it to anything you've muddied the waters a bit about whether content to that address is spam or not. If your specific use is such that you don't discriminate then you've got a reasonable solution... but for truly pure spam, you need to find ways for the spammers to pick you up - in their typical ways - but without your prompting. That takes time and effort - and occasionally luck. The luckiest you can get is for a dictionary search to hit your spam trap and pump it into one of the millions CDs... Once that happens a few times you'll start getting good traffic that was truly never solicited. Another lucky method is to have the address picked off of a web page when some spammer is trolling... _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan | Sent: Tuesday, September 17, 2002 11:30 AM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail | | | I always thought it would make a lot of sense to have an | Internal SpamCop address. | | An address that we can use in Declude so any e-mail that is | sent to that address is automatically added to a blacklist | address for background deletion. | | If such addresses is then easily advertised on a couple of | sites that are willing to give you a million dollars or add | to your anatomical parts then effectively we can have a | preemptive notice easily. Since the address is not used | elsewhere there is no way a legitimate email comes to it. | | This can be a very fast and almost no CPU processing system | be called SPAMTrap | | Regards, | Kami | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Madscientist | Sent: Tuesday, September 17, 2002 11:10 AM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail | | | I guess that makes sense. | We've got a few accounts like that out there - we set them | up, forward them into our system for evaluation, and never | use them for anything else... but there's a definite 'color' | to the content - meaning the spam we get there is skewed to a | specifi strange attractor - all based on the marketing. | | I'm working on formulating a methodology for setting up | spamtraps and tuning them for specific kinds of spam - | without opening them to any legitimate email. It's harder | than it looks, and takes a lot of time - there's just no | rushing it... so far anyway. | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail
This game subverted the entire office. ;-) _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Alexis D. Gutzman | Sent: Tuesday, September 17, 2002 11:48 AM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail | | | Craig, | | I have two paid hotmail accounts. The one for my 5-year old | daughter (it's really a test account for spam-filtering) did | not get checked. My other account for Elmer Fudd strangely | had a birthyear of 1900 and they were checked. | | I thought that when I set these up I said no sharing. Does | anyone know how old these boxes are? | | You all might enjoy playing our new anti-s*pam game (see | sig). Just launced today. | | Alexis | --- | Alexis D. Gutzman, Managing Editor, Reports | MarketingSherpa's Knowledge Store | http://torturegame4.emailsherpa.com = Play Torture a | S^pammer online game | | - Original Message - | From: Craig Gittens [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Sent: Tuesday, September 17, 2002 8:59 AM | Subject: RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail | | | Sorry, just getting around to reading my 700 or so unread messages. | Anyone notice Hotmail put in a few new options a while ago | and enabled | them for everyone? Click on the options link and choose Personal | Profile and scoll | to | the bottom. You will notice that the two options to 1) | Share my email | address and 2) Share my other registration information are checked. | | Craig. | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]]On Behalf Of Tom | Sent: Monday, September 16, 2002 5:21 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail | | | By OREN ETZIONI of the NY TIMES | --- | | A few days ago I created a new e-mail account, and within | 24 hours I | had received over 25 unsolicited commercial e-mail | messages, otherwise | known | as | spam. Even though I'm a professor of computer science, I, | like so many | others, have failed to protect myself from this daily nuisance. So I | welcome | t | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Timed weight?
Now there's a sophisticated element to the test. You could key the time to the geographic region of the sender's IP range. Not much more work (since it's generally hard-coded) but makes the test useful for determining the time of day at the sender's location -- in theory anyway. Thoughts? _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry ]Sent: Wednesday, September 11, 2002 6:39 PM ]To: [EMAIL PROTECTED] ]Subject: Re: [Declude.JunkMail] Timed weight? ] ] ] ]Only a suggestion, maybe I'm wrong: Can it be usefull to give a few ]points for messages delivered in a certain time range?(for example ]between 10.00 pm and 05.00 am) ] ]That is a good idea, and something that we have been giving some thought ]to. It would likely only be beneficial to a small group of our customers ](businesses that do business primarily in their own country, as opposed to ]ISPs and schools and such), but would probably work well for them. ] -Scott ] ]--- ][This E-mail was scanned for viruses by Declude Virus ](http://www.declude.com)] ] ]--- ]This E-mail came from the Declude.JunkMail mailing list. To ]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and ]type unsubscribe Declude.JunkMail. The archives can be found ]at http://www.mail-archive.com. ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAM-L Digest fails spam headers and Sniffer.
Yup. The log for the trial version should be SNFdemo.log. The 42 you see would be the result code which is the ruleid % 64 + 1 - not quite specific enough. Hope this helps, _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of John | Tolmachoff | Sent: Friday, September 06, 2002 5:17 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] SPAM-L Digest fails spam | headers and Sniffer. | | | Woops, you said the sniffer.log. | | I am running the trial version. | | Is there a log with that? | | John Tolmachoff | IT Manager, Network Engineer | RelianceSoft, Inc. | Fullerton, CA 92835 | www.reliancesoft.com | | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAM-L Digest fails spam headers and Sniffer.
Can you indicate the specific rule that failed from the sniffer.log file? I'd like to look it up and see how it's coded. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of John | Tolmachoff | Sent: Friday, September 06, 2002 3:29 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] SPAM-L Digest fails spam headers | and Sniffer. | | | Here is a good one: | | Received: from cherry.ease.lsoft.com [209.119.0.109] by | mail.reliance.net with ESMTP | (SMTPD32-7.12) id AF2E20D00CE; Fri, 06 Sep 2002 12:17:02 -0700 | Received: from PEAR.EASE.LSOFT.COM (209.119.0.19) by | cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with | SMTP id [EMAIL PROTECTED]; Fri, 6 Sep 2002 | 15:16:57 -0400 | Date: Fri, 6 Sep 2002 15:16:57 -0400 | Reply-To: [EMAIL PROTECTED] | Sender: Spam Prevention Discussion List | [EMAIL PROTECTED] | From: Automatic digest processor [EMAIL PROTECTED] | Subject: THIS IS PROBABLY SPAM! SPAM-L Index - 5 Sep 2002 to | 6 Sep 2002 | - Special issue (#2002-477) | To: Recipients of SPAM-L indexes [EMAIL PROTECTED] | Precedence: list | Message-Id: [EMAIL PROTECTED] | X-RBL-Warning: SPAMHEADERS: This E-mail has headers | consistent with spam [420e]. | X-RBL-Warning: SNIFFER: Message failed SNIFFER: 42. | X-Declude-Sender: [EMAIL PROTECTED] [209.119.0.109] | X-Declude-Spoolname: Dff2e020d00ceedd2.SMD | X-Note: This E-mail was scanned by RelianceSoft, Inc. | (www.reliancesoft.com) for spam. | X-Tests-Failed: SPAMHEADERS, SNIFFER, WEIGHTRANGE15-19 | X-Note: This E-mail was sent from cherry.ease.lsoft.com | ([209.119.0.109]). | X-RCPT-TO: [EMAIL PROTECTED] | Status: U | X-UIDL: 321649208 | | | John Tolmachoff | IT Manager, Network Engineer | RelianceSoft, Inc. | Fullerton, CA 92835 | www.reliancesoft.com | | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] More encoded spam
I think you're right there... Spammers didn't invent this as a means of obfuscatoin... It seems that what happened is some lucky spammers sent out a few messages this way because that's how their software of choice worked - and they discovered that it was a good way not to get filtered - and so now there is a growing preference to use that type of encoding. This is only a guess, but it seems to be supported by the apparent shift in spam formatting. The shift also seems to have coincided with a sudden burst of html obfuscation techniques such as adding randomized html comments throughout the message to break up phone numbers and key phrases. (These shifts seem to have peaked within 30-60 days of eachother). There are some spam software out there now that explicitely support these mechanisms as features for stealth direct mail. Adding base64 decoding to Sniffer has had a profound effect on it's efficiency. Before adding this filter-chain module we had a growing number of spam which would get through - only to find that there was a rule in the database already targeted to the message. Now that base64 encoding is in place that almost never happens. It's too early to tell how profound the effect is because we don't have a statisitcally reliable sample yet, but next month's report from Scott should show us the truth. Perhaps we can coax him into giving us some intermediate statistics (perhaps weekly for this month) so that we can measure the impact of base64 encoding in spam. The switchover was specifically timed so that it would coincide with the beginning of the month for this reason. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Smart Business Lists | Sent: Thursday, September 05, 2002 5:07 PM | To: Rick Davidson | Subject: Re: [Declude.JunkMail] More encoded spam | | | Rick, | | Thursday, September 5, 2002 you wrote: | RD If anybody can produce legit reasons for sending mail this way | RD please let Scott know | | Well I don't know what legit means exactly but I can tell | you there are quite a few messages that come through our | server that are base64 encoded or that contain base64 | segments that are not SPAM. | | There's enough of them I wrote a decoder for my program that | we use to inspect emails before we delete or pass them so we | could read them. | | I think some people are using them to obfuscate the contents | but I don't think that is the only reason. | | | Terry Fritts | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Encoded Email... how?
We've just added a base64 decoding filter to the Message Sniffer program for precisely this reason. This makes encoded HTML segments or attached files look like plain data to the pattern matching engine. There are other coding tricks in use as well and we are building those filter modules for later release. Once the current beta of sniffer is a full-fledged production version we will include this code in the free demo version. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Wednesday, September 04, 2002 5:07 PM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Encoded Email... how? | | | | This one has me baffled. This email (spam) showed up as what | appeared | to be an html formatted message. When I view the raw message | it appears | as an encoded attachment making it impossible to filter on any body | content. | | How are they doing it and how do we stop it? | | That's getting to be a more common trick of spammers. They | are sending an | HTML MIME segment that is encoded (using base64 encoding, | which is normally | only used when sending files). That way, the E-mail can't | easily be filtered. | | It's something that we may add a new test for, as HTML (and | text) should | never need to be encoded that way. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Encoded Email... how?
We've seen a lot of this as well, and frankly it works against them. There are seldom legitimate reasons to obscure a web link - particularly by coding it as binary or as a long integer. The Message Sniffer rule base some aggressive rules built to trap any web link that starts off with more than 3 digits in a row, and a large number of specific rules to numbered or otherwise coded web links. (These are very common in porn spam) These might make good tests Scott ;-) If you (anyone) decide to add rules like this to your filters be cautious not to go too wild with them. There are a number of legitimate services, internal corporate software, and other legitimate reasons to use numbered links. You must tune to suit your tastes. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan | Sent: Wednesday, September 04, 2002 5:10 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Encoded Email... how? | | | We are actually finding more more SPAM are coming that way. | We are only catching them when they put interesting words in | the subject. | | Also what we are finding is they are turning the links and | addresses into binary numbers, therefore making it impossible | to detect the links and trap them... Such as majority of | porn-sites. We get links like: | http://0111010101010101010101010101010... How I have no clue? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson Sent: Wednesday, September 04, 2002 4:43 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Encoded Email... how? Howdy, This one has me baffled. This email (spam) showed up as what appeared to be an html formatted message. When I view the raw message it appears as an encoded attachment making it impossible to filter on any body content. How are they doing it and how do we stop it? Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] FILTER test...how much of the body does it read?
I'm not sure you want to go that route - there's a lot of good spam fodder at the top of a message. The pattern matching engine in sniffer can afford to wade through the entire message so we've got a lot of rules in the Sniffer database that start in the top of a message and end in the bottom. If you can't afford to scan the whole message then you might scan the top and the bottom and leave out the middle. This would likely work better than skipping one end or the other. My $0.02. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan | Sent: Tuesday, September 03, 2002 12:25 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] FILTER test...how much of the | body does it read? | | | Hi; | I think this is a great idea... Why not actually have an | option to scan the top or the bottom. I know in our case if | I have only one choice I would choose the bottom of the | e-Mail for scan. | | Because most of our Word Filter is based on the bottom of the | spams. I had no idea that it is only 8000 characters. | | Regards, | Kami | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Tuesday, September 03, 2002 11:57 AM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] FILTER test...how much of the | body does it read? | | | | Can you remind me how much of the message body JunkMail | scans with the | FILTER test? | | It scans the first 8,000 or so characters. | | I was using 1.56i at the time and just installed 1.58b. Is there an | option to have it scan the full body since a lot of the | tell-tale spam | identifiers are at the end? If not, can it be added in the future? | | There isn't such an option, but it is one that we could add | (although it | | could add significantly to CPU usage). | -Scott | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] filter file question
| | Answering several E-mails here... | | Regexp! :) | | Probably wishful thinking, I'm sure writing in pattern | matching would | be a hefty involvement. | | Yes, regexp would be a very hefty involvement (and very | resource intensive). Sniffer's online rule manager is getting closer (email me off list for a screen shot if you're curious)... and that will allow users to create custom rules with capabilities very close to Regexp. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: KITHRUP:RE: [Declude.JunkMail] HELO:Declude Console
We've worked on that beast in the lab - it's a side project. Haven't seen one out on the street - maybe it's out there somewhere. The trouble is cost bandwidth. Video capture compression takes a lot of cycles and essentially requires a whole computer to do - a high-end one at that, especially if you want to minimize your updates by looking for changed window features etc... lots of SW/HW. Finally decided to shelve it until we can get custom hardware made to convert the video signals back into reliable bit positions run a specialized sub-processor to recognize key features for the compression engine. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Smith | Sent: Wednesday, July 17, 2002 8:40 AM | To: [EMAIL PROTECTED] | Subject: RE: KITHRUP:RE: [Declude.JunkMail] HELO:Declude Console | | | I always thought that if someone came out with a device that | had KVM inputs and an Ethernet/modem output that would talk | to another device, it would be the ultimate troubleshooting tool. | | Imagine being able to send this device to a site 1000 miles | away and having total control of the console -- EVEN during | BIOS setup. | | Who knows.. Maybe someone's done it. :) | | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Craig Gittens | Sent: Wednesday, July 17, 2002 8:30 AM | To: [EMAIL PROTECTED] | Subject: RE: KITHRUP:RE: [Declude.JunkMail] HELO:Declude Console | | | Has anyone looked at Remtotely Anywhere? I use it and it | works great. | | http://www.remotelyanywhere.com | | Craig. | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]]On Behalf Of Todd Ryan | Sent: Wednesday, July 17, 2002 6:51 AM | To: [EMAIL PROTECTED] | Subject: Re: KITHRUP:RE: [Declude.JunkMail] HELO:Declude Console | | | Have you tried TightVNC? (www.tightvnc.com) It was designed | for slow connections and has a few more things tweaked for | better performance. And it's also free. Worth a look... | | TightVNC Features (from their web site): | | Local cursor handling. Cursor movements do not generate | screen updates any more, remote cursor movements are | processed locally by the viewer, so you do not see remote | cursor pointer moving too slow behind the local cursor. | | Efficient compression algorithms. New Tight encoding is | optimized for slow and medium-speed connections and thus | generates much less traffic as compared to traditional VNC | encodings. At the same time, TightVNC supports all the | standard VNC encodings, so it can be easily configured to | operate efficiently in fast network environments too. | | Configurable compression levels. You can choose any | appropriate level of compromise between compression ratios | and coding speed, depending on the your connection speed and | processor power. | | Optional JPEG compression. If you don't care too much about | perfect image quality, you can enable JPEG coder which would | compress color-rich screen areas much more efficiently (and | image quality level is configurable too). Web browser access. | TightVNC includes greatly improved Java viewer with full | support for Tight encoding, local cursor feature, 24-bit | color mode, and more. The Java viewer applet can be accessed | via built-in HTTP server like in the standard VNC. | | Operating under Unix and Windows. All new features listed | above are available in both Unix and Win32 versions of TightVNC. | | Advanced Properties dialog in WinVNC. Unlike the standard | VNC, TightVNC gives you a possibility to set a number of | advanced settings directly from the WinVNC GUI, and to apply | changed settings immediately. There is no need to launch | regedit to set query options, connection priority, to allow | loopback connections, disable HTTP server etc. | | Automatic SSH tunneling on Unix. Unix version of TightVNC | viewer can tunnel connections via SSH automatically using | local SSH or OpenSSH client installation. | | And more. A number of other improvements, performance | optimizations and bugfixes, see WhatsNew and ChangeLog documents. | | | | - Original Message - | From: David Lewis-Waller [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Sent: Tuesday, July 16, 2002 12:29 PM | Subject: RE: KITHRUP:RE: [Declude.JunkMail] HELO:Declude Console | | | We use VNC, pcAnywhere and TS, VNC is very slow over a | 64kbps leased | line | to | our remote servers but okay over a local lan, pcAnywhere is | okay but | has a licence fee, TS is excellent aside from some apps (very few) | won't open in GUI mode. | | Sorry for being out of scope. | | David | WiSS Limited | | -Original Message- | From: Todd Holt [mailto:[EMAIL PROTECTED]] | Sent: 16 July 2002 17:10 | To: [EMAIL PROTECTED] | Subject: RE: KITHRUP:RE:
RE: KITHRUP:RE: [Declude.JunkMail] HELO:Declude Console
We like this (VNC) also - but it can be slow on the updates some times. For that, you might use VNC to launch netmeeting - unless you're going to do something quick. Ironically, we use VNC to kickstart PCAW on boxes where that's been required - PCAW has a habbit of crashing - VNC doesn't. My $.02 _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Todd Holt | Sent: Tuesday, July 16, 2002 12:10 PM | To: [EMAIL PROTECTED] | Subject: RE: KITHRUP:RE: [Declude.JunkMail] HELO:Declude Console | | | I am a M$ fan, but they were right when they named the | product terminal services. It sure is terminal. I have | found many things that don't work as expected when using | terminal services, so beware. | | One product that we use is VNC. It is a very effective remote | control console, it uses very little bandwidth (as compared | to other products) and is free!! You can even run it as a | service on your servers. I never go into the computer room | any more! It also has an web browser client which works | surprisingly well across HTTP. The product is a testbed for | ATT labs. | | http://www.uk.research.att.com/vnc/download.html | | Todd | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Rooth | Sent: Tuesday, July 16, 2002 6:59 AM | To: [EMAIL PROTECTED] | Subject: KITHRUP:RE: [Declude.JunkMail] HELO:Declude Console | | | Yes, I believe you are right. After hooking up with | pcAnywhere, I could see it but not through Terminal Service. | | | Jim Rooth | Klotron, Inc. | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | David Lewis-Waller | Sent: Tuesday, July 16, 2002 1:39 AM | To: '[EMAIL PROTECTED]' | Subject: [Declude.JunkMail] HELO:Declude Console | | Am I right in thinking that the Declude console can't run | when looged in via Terminal Service as it can't interact with | the desktop? | | David | WiSS Limited | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and | type unsubscribe Declude.JunkMail. You can E-mail | [EMAIL PROTECTED] for assistance. You can visit our web | site at http://www.declude.com . | --- | | | --- | Incoming mail is certified Virus Free. | Checked by AVG anti-virus system (http://www.grisoft.com). | Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/2002 | | | --- | Outgoing mail is certified Virus Free. | Checked by AVG anti-virus system (http://www.grisoft.com). | Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/2002 | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Word Filters - Spammers getting smarter
Caution... I had a similar test in Message Sniffer some weeks ago with tragic results - too many false positives so we had to pull it. We have a mod in the works to get around this hack - including a stream filter to drop all html comments before matching. That would be a good one for you to look at Scott if it fits in your system. It turns out that simply counting the number of comments doesn't work reliably. Neither does the comment to content ratio. There are some specific comments that can be filtered - but that's not widely effective except on repeats of the same spam run - although that does reduce the load so we tend to include those when we see the opportunity. For example, a few of the spam runs done by this technique had nursery rhymes built in (I can't quote here)... a few others looked like chunks of personal messages... The producer apparently can point the engine at a text file and have it cycle through that text to pull segments for randomly placed comments in a round-robbin fashion. Hope this helps, _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Friday, July 05, 2002 11:22 AM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Word Filters - Spammers | getting smarter | | | | You can see - spammers are adapting their message bodies to | outsmarten | the HEUR and the FILTER tests. | | (Of course, he eventually got lazy and used ! - and, the word | remove still appears in the URL and was not URLencoded.) | | |You are receiving this email as a subscr!--dealers--iberbr |to the Opt!--dealers---In Ameri!ca Mailin!g | Lis!t. | | Yes, this is becoming more common. We are thinking about | adding a test | that checks for a high number of comments within an E-mail. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] HTML-Test?
Unfortunately this leads to a high false positive rate. (We tried it and pulled it.) _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Joshua Levitsky | Sent: Thursday, June 13, 2002 2:11 PM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] HTML-Test? | | | What about a JavaScript test? There's something that should | not be in non-spam email. Or an ActiveX control detection. | Both of these are big clues that it is spam. | | -Josh | | -- | Joshua Levitsky, MCSE, CISSP, EMTD | Desktop Systems Engineer | AOL Time Warner | | | - Original Message - | From: Mark Smith [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Sent: Wednesday, June 12, 2002 8:39 AM | Subject: RE: [Declude.JunkMail] HTML-Test? | | | Not to mention that all iMail Web mail is HTML. :) | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott | Perry | Sent: Wednesday, June 12, 2002 8:34 AM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] HTML-Test? | | | | I'm currently implementing Junkmail. | My question: Is there a test if the mail is in HTML or in | TEXT-Format? | | When I check the spam-mails recieved in the past days over | 90% of this | mails are HTML-formated. So I think HTML-formated mails | should recieve | 2-3 points in the weighting system. | | Any suggestions, arguments, info's...? | | The problem with this is that most personal E-mail is | sent in HTML | (you can give a BIG thanks to Microsoft for that one). I believe | that the default | settings in Outlook will send both text and HTML, even if | there is no | difference between the text and HTML segments (so even though | the E-mail | appears to be a plain text E-mail, it has an HTML copy of it). | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | | This E-mail came from the | Declude.JunkMail mailing list. To unsubscribe, just send | an E-mail | to [EMAIL PROTECTED], and type unsubscribe | Declude.JunkMail. | You can E-mail [EMAIL PROTECTED] for assistance. You | can visit | our web site at http://www.declude.com . | | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. You can E-mail | [EMAIL PROTECTED] | for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] BLARSBL:Setting up a spam trap.
Some spam traps are easier... Another method is to set up the address, and then use it to visit some shadey web sites... Then cancel your subscriptions (if required). The email will most certainly be added to every similar list and will live in perpetuity (based on my observations). _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Monday, June 10, 2002 12:57 PM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] BLARSBL:Setting up a spam trap. | | | | We are looking at setting up a spam trap to see what is | getting caught | and what is getting through. Any suggestions on how to set | up a spam | trap? | | It isn't easy. | | The catch is that you need to get addresses out where | spammers are going to | find them. The two most common ways of doing this are either | using the | address as the return address for postings to Usenet (which | requires that | you post useful messages, but use the spamtrap return | address), or adding | the addresses to web sites where spammers will find them. | | FWIW, we set up several addresses on websites -- we've had | hundreds of | viruses sent to those addresses, but not a single spam. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Handling Held Spams
We delete held spam after 30 days. If a false positive possibility arrizes, we will use a file - search in our holding bin to identify any messages that have the correct keywords - If we verify the false positive this way we can not only put it back in stream, but also adjust our filtering scheme to compensate. This way we spend almost no time on dealing with the issue (we have very few false positives)... But when a false positive does show up we have everything we need to handle it quickly. Hope this helps, _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Mark MItchell | Sent: Wednesday, June 05, 2002 10:51 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Handling Held Spams | | | Hello, | | I was wondering how people handle all the held spam? From | my estimates, my mailserver is holding over 1 million spams | per month. I only have BADHEADERS and MAILFROM set for hold | and rest for warn. Are those the two that most people have | set to hold? Any way to make it so the spam forwards to a | specific email address so I can search it easier if a | customer complains that there message was marked spam? | | Thanks, | Mark | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Spammers getting smarter?
Title: Message Make that definitely. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark SmithSent: Wednesday, May 29, 2002 7:08 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Spammers getting smarter? They're probably monitoring this list server. :) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Glenn \ WCNetSent: Wednesday, May 29, 2002 6:54 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Spammers getting smarter? Yes, I've gotten several spams that didn't fail any tests. I've added some to my blacklist test, but I doubt that will do much good in the end. Glenn Z. - Original Message - From: Mark Smith To: [EMAIL PROTECTED] Sent: Wednesday, May 29, 2002 5:50 PM Subject: [Declude.JunkMail] Spammers getting smarter? Has anyone noticed spamers are getting smarter?I've had a number of pieces make their way through with proper revDNS,postmaster, abuse, headers, spamheaders, etc.Has anyone else seen this?---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". You can E-mail[EMAIL PROTECTED] for assistance. You can visit our website at http://www.declude.com .
RE: [Declude.JunkMail] Spammers getting smarter?
Title: Message It is a full scale arms race - we've seen some amazing things... _M -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark SmithSent: Wednesday, May 29, 2002 7:08 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Spammers getting smarter? They're probably monitoring this list server. :) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Glenn \ WCNetSent: Wednesday, May 29, 2002 6:54 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Spammers getting smarter? Yes, I've gotten several spams that didn't fail any tests. I've added some to my blacklist test, but I doubt that will do much good in the end. Glenn Z. - Original Message - From: Mark Smith To: [EMAIL PROTECTED] Sent: Wednesday, May 29, 2002 5:50 PM Subject: [Declude.JunkMail] Spammers getting smarter? Has anyone noticed spamers are getting smarter?I've had a number of pieces make their way through with proper revDNS,postmaster, abuse, headers, spamheaders, etc.Has anyone else seen this?---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". You can E-mail[EMAIL PROTECTED] for assistance. You can visit our website at http://www.declude.com .
RE: [Declude.JunkMail] One more novice question...
Try .postmasterdirect.com Including the leading dot ensures you're not getting other domains. Maybe also @postmaster.com for when that gets tried. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan | Sent: Wednesday, May 01, 2002 12:29 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] One more novice question... | | | Good to know.. We have a problem with a domain that keeps | changing its sub-domain. Namely: | | @m-01.postmasterdirect.com | @m-02.postmasterdirect.com | @m-03.postmasterdirect.com | @m-04.postmasterdirect.com | @m-05.postmasterdirect.com | @m-06.postmasterdirect.com | @m-07.postmasterdirect.com | @m-08.postmasterdirect.com | @m-09.postmasterdirect.com | @m-10.postmasterdirect.com | | So for us to block these people in general we have to put: | | postmasterdirect.com | | In the blacklist. | | But then this will block another organization if they come | with a legitimate business that has the domain: | Our-Postmasterdirect.com | | While the only thing we wanted to do was to block all the sub | domain variations of the first one, namely postmasterdirect.com | | Can this be done or we have to list them all individually. | | Regards, | Kami | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Wednesday, May 01, 2002 12:19 PM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] One more novice question... | | | | If I list: | | Example.com | | It would include: | | [EMAIL PROTECTED] | | But NOT: | | [EMAIL PROTECTED] | | No, it would include both. Anything with Example.com | appearing in it | would get caught. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] What do you think of this?
I think you might arrange it by creating a new test called BOOL that uses other test names (including other bools) and allows for a boolean expression to pass or fail. Then the resulting test could be weighted in. This would give the most flexibility with the simplest (read most reliable fast) code. So, for example, #NOTE Boolean test expressions are enclosed in parenthesis. # Nested parens also work for more complex expressions. # In boolean logic, * is AND, + is OR, ~ is NOT, ^ is XOR # The following test named S_N_R is triggered when # SPAMCOP AND REVDNS are both true. # If you leave the weight off of a test then it can only be # expressed in another BOOL expression. S_N_R BOOL (SPAMCOP * REVDNS) 9000 ... What about that? _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Friday, April 26, 2002 12:51 PM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] What do you think of this? | | | | Would it be possible create a boolean test that we could configure, | basically a if/then kind of thing? | | ex: | if SPAMCOP and REVDNS then weight = 9000 | | That's something that we have given some thought to, but were | never sure | how useful it would actually be (given all the combinations | of tests that | would be possible). | | Thoughts? | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Spamcop Dead.
No specific idea, but I did just watch a HUGE network instability pass through the UUNet network... Took the last half hour or so to stabilize (knock wood). Maybe that's part of it. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Chuck Schick | Sent: Thursday, April 25, 2002 10:19 AM | To: Declude. JunkMail (E-mail) | Subject: [Declude.JunkMail] Spamcop Dead. | | | Sapmcop does not seem to be working this morning. Anyone | know what is up. | | Chuck Schick | Warp 8, Inc. | 303-421-5140 | www.warp8.com | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: RE: [Declude.JunkMail] Blacklist/Whitelist
How about the message is held in the usual place (spam folder)... Cleanup is a separate function, perhaps a scheduled job to remove older (30day +) messages from the folder. Declude would intercept a response message and move the referenced message by queue file name either to the spool or to nowhere (deleted). For security, a one-time hash of somekind would be encoded into the prompt message and would have to be received in the response. Bad control messages would have to prompt somebody in order to catch hack attempts. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | [EMAIL PROTECTED] | Sent: Monday, April 01, 2002 3:58 PM | To: [EMAIL PROTECTED] | Subject: DSN:RE: [Declude.JunkMail] Blacklist/Whitelist | | | How would the e-mail be handled that is (I'm assuming here) | be held waiting conformation? | | If a valid conformation is received back then obviously the | mail would be delivered. How long for a conformation though | and if a conformation bounces, as expected, then what? | | This idea sounds promising I'm not sure how you get by these hurdles. | | my $.02 | | Stu | | | | | At 02:45 PM 04/01/2002 -0500, you wrote: | | although most mail with a weight that high would have | confirmations | bounce | | Well - obviously, you would have to detect a valid | conformation queue | ID in the SUBJECT line and if found, would let confirmations PASS - | even if NORMALLY that IP address would bounce. | | I meant that most of the confirmation requests would bounce. For | example, E-mail from [EMAIL PROTECTED] (a | non-existent account) | that send spam to you would likely fail the WEIGHT10 test. | If you had | WEIGHT10 CONFIRM after the confirmation system is set up, | a confirmation | request would be sent to [EMAIL PROTECTED], but that | would bounce. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] | for assistance. You can visit our web site at http://www.declude.com . - CSOnline Technical Support hours - Monday thru Saturday 7am - 1am CSOnline Technical Support Numbers Seneca814-677-2447 Clarion 814-227-3638 Meadville 814-425-1696 Parker724-399-1158 http://www.csonline.net http://www.cshowcase.com http://www.learncenter.com - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] DORKZTL:Spammers lose in small-claims court
[NOTE: Your mail server [216.88.36.96] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] [NOTE: Your mail server [216.88.36.96] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] I think the point is that the case law is now moving in the right direction along with the legislation... Eventually, maybe soon, the fines and other legal rammifications of spamming will begin to make it less palatable. Certainly this won't stop all spam, since it can always move overseas, but it will change the shape of the playing field. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Todd Holt | Sent: Tuesday, March 26, 2002 2:43 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] DORKZTL:Spammers lose in | small-claims court | | | I have to agree, John. I thought this was a step in the | right direction. | | Not to be negative, but... | Are these fines large enough to stop SPAMmers that could | potentially make much more than the fines. In essence, they | could be a cost of doing business for the SPAMmers. Does | anyone know how much a SPAMmer can make? Does it exceed the | amount of these fines? | | Todd | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]]On Behalf Of Dean | Zingle, Ipswitch.ca | Sent: Tuesday, March 26, 2002 12:42 PM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] DORKZTL:Spammers lose in | small-claims court | | | Huh? Did you read the article John? I may have to re-read | the article, but I got the exact opposite out of it ... | | Dean | | - Original Message - | From: John Tolmachoff [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Sent: Tuesday, March 26, 2002 11:31 AM | Subject: RE: [Declude.JunkMail] DORKZTL:Spammers lose in | small-claims court | | | Great. One more court decision making our life hard. | | John Tolmachoff | IT Manager, Network Engineer | 211 E. Imperial Hwy., Suite 106 | Fullerton, CA 92835 | 714-578-7999, ext. 104 | [EMAIL PROTECTED] | www.reliancesoft.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Jay A. Caplan | Sent: Tuesday, March 26, 2002 10:05 AM | To: Declude. JunkMail (E-mail) | Subject: [Declude.JunkMail] DORKZTL:Spammers lose in | small-claims court | | Free-speech group Peacefire.org has won a legal round in its | fight against unsolicited e-mail, invoking Washington state's | anti-spam law. | | For the full article, see | http://news.com.com/2100-1023-868332.html?legacy=cnettag=lthd | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and | type unsubscribe Declude.JunkMail. You can E-mail | [EMAIL PROTECTED] for assistance. You can visit our web | site at http://www.declude.com . | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and | type unsubscribe Declude.JunkMail. You can E-mail | [EMAIL PROTECTED] for assistance. You can visit our web | site at http://www.declude.com . | __ | __ | ___ | | IMail Server has scanned this e-mail for viruses using | Declude Virus from Optrics.com | | | | __ | __ | ___ | | IMail Server has scanned this e-mail for viruses using | Declude Virus from Optrics.com | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To
RE: [Declude.JunkMail] DORKZTL:Spammers lose in small-claims court
[NOTE: Your mail server [216.88.36.96] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] Thanks... I've forwarded that info as well. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Todd Holt | Sent: Tuesday, March 26, 2002 3:22 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] DORKZTL:Spammers lose in | small-claims court | | | When I follow the dnsstuff link that John gave: | | http://www.dnsstuff.com/tools/ptr.ch?ip=216.88.36.96 | | I get varied results. Sometimes, it does come back with a | revdns and sometimes not. I have attached the results from 2 | attempts. Run it a few times and see the difference. | | Scott, is there a difference in the way dnsstuff checks from | one attempt to another? | | Todd | --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] DORKZTL:Spammers lose in small-claims court
[NOTE: Your mail server [216.88.36.96] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] Today, I have all the luck. %^b _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of | Charles Frolick | Sent: Tuesday, March 26, 2002 3:37 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] DORKZTL:Spammers lose in | small-claims court | | | The issue is specific to his domain, since I use Savvis for | my backbone, I thought it best to check, and everything is | fine for my block 209.144.1.0/24 in both servers. | | Chuck Frolick | ArgoNet, Inc. | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry | Sent: Tuesday, March 26, 2002 2:25 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] DORKZTL:Spammers lose in | small-claims court | | | | When I follow the dnsstuff link that John gave: | | http://www.dnsstuff.com/tools/ptr.ch?ip=216.88.36.96 | | I get varied results. Sometimes, it does come back with a | revdns and | sometimes not. I have attached the results from 2 attempts. | Run it a | few times and see the difference. | | Good catch. | | Scott, is there a difference in the way dnsstuff checks from one | attempt to another? | | The problem here is that savvis.net's DNS servers are broken. | One of them | (ns1.savvis.net) is correctly returning the a reference to | the microneil.com DNS servers, the other (ns2.savvis.net) | isn't. Since both of them are claiming to be using the same | zone for 88.216.in-addr.arpa., but are returning different | results, they are broken. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . __ Information from NOD32 1.236 (20020325) __ This message was checked by NOD32 for Exchange e-mail monitor. http://www.nod32.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
