I share your pain! We've been live with Declude and HOLD actions for about
a week, and I've been beavering away at building our whitelist for 2 weeks.
In a nutshell, I'm building the whitelist because I want to keep my SPAMCOP
HOLD action (and a few others). I've established with our team that
One particularly aggravating type of spam is where the from: is faked to be
from the recipient or the recipient's own domain.
I saw in the archive that this thread has been touched on before, but how
about once more around the mulberry bush?
I believe Scott mentioned that this behaviour counted
Title: [Declude.JunkMail] Odd log problem commenting an IP block
Anybody else seeing this?
I have a text file on which I use IPFilter, that holds my manually created blacklist from my old e-mail system:
#Nov-08-2002 AC This is our custom blacklist of IP addresses and subnets
BENTALLIPBL
Sure thing, John. An OWA message is coming right up, from OWA for Exchange
5.5 SP4.
-Original Message-
From: John Tolmachoff [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 26, 2002 7:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] OWA and BASE64
If some one has access
Scott, do you recommend using both BADHEADERS and SPAMHEADERS? I use both,
along with the LOOSENSPAMHEADERS directive, and I'm wondering if SPAMHEADERS
incorporates BADHEADERS... It seems that when I see SPAMHEADERS, I very
often see BADHEADERS.
On the other hand, maybe I'm just getting used to
Apparently I'm slow to get this, but since November 13th, there has been
spam which includes this footer (which I've deliberately mangled with ** to
avoid anyone else's text filters):
This message passed through ANTI**SPAMCENTER filter.
If this is a S**PAM - it's imperative that you let us know.
Very interesting project, Sanford. Thank you for sharing.
To clarify a point though: do you implement a BOUNCE to the domain's
postmaster of the offending server?
I've mulled creating a similar implementation with a database back end
(inspired by Terry Fritts) with a goal of aging out manual
I have a feature request. With v1.65 of Declude JunkMail, the manual's list
of action precedences, my logs and my message headers have all the necessary
data for me to construct the post-facto reporting of what happened to a
given message. But it also means that I have to build into my
True, I would have an immediate use for logging the final action; I
suspected that others would have a user for a variable, e.g. when multiple
actions are performed, such as delivering a message and ALERT or BOUNCE,
marking up the original would be useful.
Andrew 8)
-Original Message-
I'm rather fond of this web tool for doing multiple simultaneous lookups:
http://openrbl.org/
Specifically, it returns hyperlinks and text messages if returned by the bl.
It also puts up spam related news and info.
Andrew 8)
-Original Message-
From: Sharyn Schmidt [mailto:[EMAIL
My list would be the same as previously cited, and yes, earthling.net is not
a typo.
All of these would make it to my list as the top faked from: domains. But
of the ones that I've seen make it through to the spamtraps, none. Which is
why I haven't implemented a small negative weight for these
Is there a gotcha in filter text files when the message is in HTML format?
The following line works if I send myself a message from HotMail, but didn't
on an actual piece of spam I just received, whose relevant bit of text I'll
reproduce here with an underscore inserted to get around my own
(sigh) Keyboard virus... I should have had an underscore in *both* of the
entries. To recap I'll reproduce here with an underscore inserted to get
around my own filter:
#Dec-02-2002 AC Very common in Chinese hosted spamvertisement
# unsubscribe footers
BODY 0 CONTAINS bta_mail.net.cn
And the
Except for the underscore I inserted, both snippets are verbatim. No
trailing spaces or hidden control characters. The message was not in
Base-64. I just checked my Declude log for today and it did fire off on 7
other messages today.
I'll include the whole spam message in an attachment here.
For what it's worth, no, we never get bogus claims of spam originating from
our IP range.
This is going out on a limb, but your range of 192.68.75.0/24 looks a lot
like 192.168.75.0/24 (which would be IANA reserved private) and that
confusion might be the source of your problem.
The ooh, hackers
Hi, Scott.
I don't use or send to anyone with MIMESweeper, but I thought I'd chime in
here, off the list, and submit a message I received this weekend. What is
unusual about it is that the header has all the X- entries before the date
entry. I haven't noted this before with Declude, and wish
Thanks for the explanation, Scott.
To get really specific, did Declude fix up the e-mail by adding in the
missing Date: header, or did IMail? It sounds like a Good Thing(tm) but I'm
looking for the law of unintended consequences.
My bet is that you won't modify any content in the header, but
We are not an ISP; as a private corporation, we define our usage policy and
it is more strict than what you can, so we can block junkmail as well as
spam. We try not to be censors, but spam and junkmail cost us real dollars
in theft of service and loss of productivity.
We have the luxury of
I've had this happen several times, too, Greg. If you are inclined to
search the archives from two or three weeks ago, you will find a reply from
Scott regarding a terse error message the Declude log file; the upshot was
that if you look in your IMail and Declude logs, you will find this error
Given the huge rise in BASE64 encoded message text I've seen, matching BODY
on decoded message text would be welcome indeed. Likewise, I've seen a few
(rare) false positives when BODY matched text within an attachment.
Not that I'm trying to re-invent Declude Virus, but what I found was that:
Scott, do you have an ETA guesstimate on how long the interval is between
the beta and RTM release?
Andrew 8)
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 17, 2003 11:45 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Declude JunkMail
Scenario:
Current filter file has several hits on a given e-mail message, and as a
result with other tests, the HOLD weight is reached.
On examining the held message and the Declude log (LogLevel MID), the total
weight reached for the filter file is too high to match any single entry.
The
Title: Filter text: out of the frying pan and into the fire
I think the processing order of the filter text has changed between JunkMail v1.65 and v1.66i. Specifically, I saw high scores on an innocent message due to my spam hint rule.
What I intended to do was search for obfuscation
(ahem) Errr. Never mind.
I jumped the gun. My innocent sample(s) was using both www.example.com
as well as the escaped version of . and for / in their URLs. In my
haste to make things right, I only saw the normal text URLs.
The message I saw held fell in to two categories: the newsletter
Markus, the crux of the issue for you is whether or not you allow relaying
for your client servers. If you do, then the percent hack is a legitimate
method for their server to request the relay from your server.
The IMail security regarding the percent hack is not to *prevent* the
percent hack,
Check out this article if you haven't already.
http://www.theregister.co.uk/content/6/29159.html
The link to the Newsgroup message thread for pro vs. con is worth a read,
and includes some gems.
The short of it is that spews.org often lists a much bigger netblock than
they need to, on the
Here's the weights we use:
HEADERS 2 CONTAINS PowerMTA(TM)
HEADERS 5 CONTAINS KUNBrun SMTP Receiver
HEADERS 5 CONTAINS Synapse - Delphi
HEADERS 3 CONTAINS The Bat!
HEADERS 5 CONTAINS SmartMax MailMax
HEADERS 5 CONTAINS eGroups Message Poster
HEADERS 5 CONTAINS X-Mailer: FoxMail
HEADERS 9
Has anyone else been seeing messages where the body is in the headers?
I do see this occasionally. For what it's worth, I mostly I see messages
without the header separator line in my HotMail account, not my corporate
account.
Andrew.
---
[This E-mail was scanned for viruses by Declude Virus
Title: Message
Keith, check the
Manual; as you go down the list of actions, you will see them in increasing
priority. So nevermind the weight of this filter test, set the weight to 0
and the action to DELETE, because that action has the highest priority.
The action for the WEIGHT20 will be
This bit of spam left the kitchen before it was fully cooked. I leave it to
your own judgement as to whether this provides insight into the junk in some
of the spam we get, or whether it's disheartening to see what could clearly
be meta-junk surrounding the payload.
(I've lopped off the header
Sheldon, because you're a service provider and we're a private business, I
don't know if this will help you, but this is what we do.
We whitelist our IMail server by its internal address, as well as the
internal addresses of our internal mail hosts.
We do not whitelist by our domain name, for
Scott, wouldn't Jeff also have to use the HOP and HOPHIGH directives? Or
does IPBYPASS imply a HOPHIGH of one greater than the current setting when
the IPBYPASS is used?
Andrew 8)
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 18, 2003 6:53 AM
Scott, does the COMMENTS test also catch bogus HTML tags?
I've seen rather a lot of spam HTML messages where there are deliberate
bogus tags like HUE5MTl to throw text matching off the scent, whereas
because they look like tags, the e-mail client display doesn't show them at
all. Text matching
I was thinking that it would probably be a relatively simple matter to add
such a test in a future version of declude. If an incoming message reached
a
certain weight, it could be added to a recent spammer list. This list
could be
checked along with other internal tests _before_ DNS tests are
Get this... Declude.com gets a positive side-mention in this article
describing the new version of Symantec's antivirus mail gateway, which
includes some spam filtering capabilities.
http://www.itworld.com/Net/3241/030324symantecgateway/
Andrew 8)
---
[This E-mail was scanned for viruses by
Title: Message
Kami, I think
it'san annotation put there by the bulk mailer as a note to themselves
about the source of the target list (ooh, I'm starting to sound like
*them*).
I saw this in the
body of the html spam I received today:
!-- saved
from
url="" PROTECTED]
--!-- Built by
I had a program that checked a time server every day to keep the time
accurate. On more than one occasion I saw the date get changed to the
year 2020 and the year 4040. I don't use time server programs any more.
WXP has a SNTP client built in. Use:
net time /setsntp:tick.ucla.edu
net stop
Kami, I found that mail from dartmail.net was all legitimate newsletters,
but mail from maildart was spam. I let the RBLs do their usual job, but
then I counterweight with:
HELO -50 ENDSWITH dartmail.net
although I prefer REVDNS, I find this a reliable middleground (WHITELIST
being on the other
KR SPAM hardly comes with PDF attachments or Word or even less likely
KR with Excel. Perhaps one easy way to combat this is to figure out
KR the attachment (don't know how) may be we can assign a negative
KR weight to emails with such attachments.
.. another 2 cents to echo Scott's reply
are now getting a lot of spam with emails that use ... @dell.com or
@ibm.com
Regards,
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Wednesday, July 02, 2003 4:31 PM
To: '[EMAIL PROTECTED]'
Subject: re: [Declude.JunkMail] Any
Nicely darn, Karl. Please do post your perl script to the list. If you'd
rather send it directly to interested parties, please include me in that
list.
I'm just starting in on perl and VB Script, because (sigh) I have indeed
been using find.exe as a crutch. For example, I call this script all
Another 2 cents. Kami, on your prompting I looked back 4 days and saw that
we'd received 34 messages that were in the format [EMAIL PROTECTED]; most of
those domain names were perfectly legitimate... and faked.
I found that each one of the messages had heavily triggered other tests and
were all
No thanks. This is less than ideal, but I like Yahoo Groups even less. I
am also not in favour of a Wiki board, because I mistrust the nature of it,
that is, the ability for anyone to modify any post. Declude JunkMail is a
small fish in a big ocean, but remember that the spammers won't like us.
Title: Message
I would look for
the easy stuff first. This sounds exactly like the speed and duplex
setting are mismatched somewhere between the mail server and the inside of the
ATT hardware.
Andrew.
-Original Message-From: i360
[mailto:[EMAIL PROTECTED] Sent: Tuesday,
Another caveat:
unconfirmed.dsbl.org is not a superset of list.dsbl.org or multihop.dsbl.org
but often contains duplicates of them. So although I generally trust
unconfirmed.dsbl.org to have accurate fresh listings, I have to give it a
low weight. I would give it a higher weight if I could, but
Title: Message
My experience has
been that NT4-era service packs will overwrite hotfixes. W2K and W2K3 (and
Office XP, too) service packs will leave patches intact, i.e. they will not
overwritecomponents newer than themselves.
Doing a
repair/re-install from the Recovery CD or from the
Title: Message
Mark, it may be
interesting for you to note that we don't set the number of instances of
Decludedirectly. Instead, the "max processes" limit in your IMail
SMTP advanced settings is what governs the total number ofIMail and
declude.exe instances.
Also, an
important
e-From: Colbeck, Andrew
[mailto:[EMAIL PROTECTED]Sent: Thursday, July 24, 2003 3:56
PMTo: '[EMAIL PROTECTED]'Subject: RE:
[Declude.JunkMail] Declude using 50% cpu
Mark, it may
be interesting for you to note that we don't set the number of instances of
Decludedirectl
Title: Message
Mark, you might
check if your C:\IMail\Spool\Overflow contains may Q*.SMD files, which will tell
you whether you have a mail processing backlog.
A busy server is
one thing, and a burdened server is another.
You can
read:
http://www.declude.com/dq.htm
for the how and
why
Title: Message
FYI, I have a
single mail relay with no mail boxes. RunsIMail like a champin a stripped
down Windows XPin a SCSI based
Compaqserver PII 333 MHz and
160 MB of RAM (plenty), but with the text filtering we do, we get a
consistentoverflow every day during peak hours. We've
Rifat, since you have the Pro version of JunkMail, how much text filtering
do you do? Kami and I both do quite a bit...
I just counted, and in various separate text filter files, i have 3500 BODY
tests.
Andrew.
-Original Message-
From: Rifat Levis [mailto:[EMAIL PROTECTED]
Sent:
u usage consistantly.
-Original Message-From: Colbeck, Andrew
[mailto:[EMAIL PROTECTED]Sent: Thursday, July 24, 2003 3:56
PMTo: '[EMAIL PROTECTED]'Subject: RE:
[Declude.JunkMail] Declude using 50% cpu
Mark, it
may be interesting for you to note that we
SPUnfortunately, that can be difficult to determine. You would need to
view
SPthe raw source of the E-mail, which many mail clients don't support (you
SPwould need to be able to see the MIME headers).
MGI am using a great 3rd-party Outlook add-on called PocketKnife Peek
This ISP or what ever they are send us a lot of spam I would not usually
block this many IP addresses but?
What do you all think?
Ultimate Offers LLC. NET-69-60-0-0-24 (NET-69-60-0-0-2)
69.60.0.0 - 69.60.0.2
How did they get such a large block of IP
-Original Message-
From: Keith Johnson [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 07, 2003 8:36 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] RBL Question
I saw the below message on the forum:
-BEGIN QUOTE---
For a long time the SBL has been available either
PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] RBL Question
Doesn't this announcement mean that as of Aug 11, SPAMHAUS will have to be
checked directly and will NO LONGER provide info to osirusoft? That
appeared to be the gist of the announcement.
From: Colbeck, Andrew
Keith, you
Thomas, I just implemented VirusWall, but in a different configuration than
you have.
I think you should start by turning off the Disable insertion of InterScan
Received: header when processing messages. This is on the Advanced
Options of the GUI, or in the intscan.ini in the [EMail-Scan]
Thanks, Kami. I've started a new section in one of my JunkMail Pro text
filter files called Phishing for similar attempts to garner e-mail
addresses and credit cards numbers.
Andrew 8)
-Original Message-
From: Kami Razvan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 13, 2003 2:11
Some spam made it through our Imail+JunkMail gateway last night, and I was
wondering how it did it, because there were NO headers added by JunkMail
Pro.
According to my sys0806.txt logfile, the message was received by IMail, then
it was later delivered to my internal mail server.
I found a few
FS Is it just me or has anyone else noticed a large increase in the volume
FS of SPAM over the last two days?
Nope, not particularly high. Actually, it's back to normal, because we
saw a lull last week.
My poor little server suffers from a backlog during our peak hours; to
manage the contention
What a mess!
Aside from buying AutoWhite, does anyone have a suggestion for letting mail
in from valid dial up users at Qwest, while still keeping out the spammers?
SPAMDOMAINS may be appropriate here, to reward a person from qwest who
actually says they're from qwest...
e.g.
Received: from
I wouldn't be at all surprised if it turns out that these phishing
expeditions for e-mail readers, replies, and credit card details are the
same spammers behind the SoBig malware.
Check out:
http://www.lurhq.com/sobig-e.html
I came across this very detailed write-up when checking out some oddly
A little heads-up about SoBig.F ...
2,000 of my inbound e-mail messages today has been this virus, from a
variety of sources.
The messages are the virus itself, neutered versions of the message, and
bounces/warnings from dummy antivirus software on mailservers out there that
still warn the
Message sniffer is not so bad as I tested it but have a big problem
with News letter it has a bif False positive rate with them.
On the home page for MessageSniffer you'll find a Help (QA) section which
is worth your time to read if it's worth your time to implement.
Submit false positives to:
Wow, I thought my increase in messages from 5,800 messages inbound to 10,000
was a lot.
BTW, my old mail server (PII @ 333 MHz, data on a SCSI2 mirror) with the
same volume would regularly run mid-morning (my peak volume) with a 30 to
100 messages in the overflow folder.
The new server (PIII @
Well, you shouldn't... here is a cleaned up version of the JunkMail Pro
filter file I started using last night.
My global.cfg has:
BADNOTIFY filter D:\IMail\Declude\BadNotify.txt x 0 0
and
BADNOTIFY HOLD
If you want BADNOTIFY to show up in your Total weight = lines in your
decMMDD.log file,
(I was going to point you to the MailArchive website rather than re-post,
but I couldn't find my own message there.)
You're probably getting 4 kinds of nuisance messages:
1) The SoBig.F virus messages
2) Broken versions of the message with all the text but no virus
3) Bounce notifications
Until a few days ago, I was using SORBSALL, but on checking out their home
page, I found that it had grown quite a lot since I started using it.
Since JunkMail will only incur the lookup once, I suggest that if you're
using SORBS that you break it up into all the little tests to query the same
: [Declude.JunkMail] SORBS
How are the false positive rates ?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Thursday, August 28, 2003 12:30 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] OSRELAY question.
Until a few days ago
Similar to one noted earlier (by Bill?), slightly updated:
`OPFd
``nhra```
```laey``
ire``
`nm`s
``eanh```
cei``
Chuck, that suggestion could be useful for me, but I can two bits...
I've noticed that some legitimate bulk mailers, like spammers, are
completely brain dead when it comes to removing e-mail addresses that have
bounced. For example, I saw a spammer consistently using an address that
hadn't
Chipping in my two cents (Hi, I'm back from vacation!) I'm waiting for
something like BODYTEXT instead of BODY so that I can stop getting false
positives from short sequences showing up in attachment encoding.
I had to stop trying to filter:
grx
grx2
t1t
MLM
d0rm
/ad
/ads
because they came up
Sorry, I've no great insight on the positive uses of this test, but I can
point out another exception. E-mail enabled pagers and RIM Blackberries
often have their phone number as the e-mail address @TheProviderDomain.com
instead of or in addition to the subscriber's name.
Andrew.
---
[This
Here's some examples of mailing lists that have lots of numbers (and
letters) in the MAILFROM. You may find that you'll have to put in a
counterweight everytime a user reports that they're missing mail when they
sign up for a newsletter.
Andrew 8)
p.s. I've deliberately munged the addresses a
JT Pagers have 10 numbers, so I would actually start at either 11 or 15.
JT An old CompuServe address will most likely not be failing other tests to
JT where this one would put it over. How many numbers do those addresses
have
JT in them?
Nine digits, e.g [EMAIL PROTECTED] (that was mine for 5
MB GIBBERISHSUB filter C:\IMail\Declude\GibberishSub.txt x 1 0
MB SUBJECT2CONTAINSqb
(snip)
This looks good, Matthew.
The weight is low enough to be cautious, and I suspect the only false
positives you will get are on subject lines with that raw
=?ISO-8859-1?B?UmU6U2lsZG stuff.
SUBJECT 40 CONTAINS =?ISO-8859-1?b?
I'm seeing quite a few of these coming in, but they are getting held.
I'm including a sample from my log, which is set to HIGH so that others can
see what tests have been useful for me.
An interesting point that came out of my following this thread is that I
How about some thoughts on selectively running tests, based on the HOP
count?
Specifically, one of my strong reasons to buy Declude+IMail (yes, that's the
way I view it!) for my gateway was because of the HOPHIGH feature for
running ip4r tests against more than just the IP of the host that sent
For those who are using the BASE64 test and finding that you have to
counterweight for Exchange Servers that uselessly encode plain ASCII
messages, note that there is a new patch level:
HEADERS -10 CONTAINS Microsoft Exchange V6.0.6375.0
in addition to John Tolmachoff's research:
HEADERS -10
at uncaught spam, perhaps these guys are getting nailed by other tests.
Dan
On Thursday, September 11, 2003 13:16, Colbeck, Andrew
[EMAIL PROTECTED] wrote:
SUBJECT 40 CONTAINS =?ISO-8859-1?b?
I'm seeing quite a few of these coming in, but they are getting
held.
I'm including a sample from my log
Title: Message
For those who like to use http://openrbl.org but found it unavailable for
longer than any usual system maintenance, your guess that it was due to a DDOS
is right.
Meanwhile, Declude's own http://www.dnsstuff.com/ andhttp://moensted.dk/spam/ can get you
the lookup information.
Here's this morning's biggest loser: we HOLD on 20, and this spammer
achieved a whopping:
DSBL:6 SPAMCOP:10 BADHEADERS:6 HELOBOGUS:6 REVDNS:4 ROUTING:8 IPNOTINMX:2
NOLEGITCONTENT:2 COUNTRY:10 COMMENTS:153 SNIFFER:7 FIVETENSRC:5
EASYNET-DNSBL:7 EASYNET-DYNA:6 EASYNET-PROXIES:5 BH-CNKR:10
Title: Message
Received: from 66.38.133.97 [200.252.69.131] by mail.bentall.com
(SMTPD32-8.02) id A3E5113000F4; Wed, 17 Sep 2003 10:03:33 -0700Received:
from [73.250.175.174]
by 66.38.133.97 with
SMTP for snip; Wed, 17 Sep
2003 06:00:29 +Message-ID:
[EMAIL PROTECTED]From: "Sheldon
DSBL:6 SPAMCOP:10 BADHEADERS:6 HELOBOGUS:6 REVDNS:4 ROUTING:8 IPNOTINMX:2
NOLEGITCONTENT:2 COUNTRY:10 COMMENTS:153 SNIFFER:7 FIVETENSRC:5
EASYNET-DNSBL:7 EASYNET-DYNA:6 EASYNET-PROXIES:5 BH-CNKR:10 SORBS-HTTP:7
PSBL:5 CBL:5 GIBBERISHBODY:3 VERISCAM:7 BENTALLIPBL:7 BENTALLSPAMHINT:22
I'm seeing some false positives for mail from .comcast.net hosts that are
falling into various ip4r lists. It's very sporadic. It seems like quite a
few are being tested as mail relay hosts, but aren't.
Other providers provide a sensible naming convention to make it
straightforward to identify
Who has had any luck in trapping spam written in a foreign language. I
seem to be getting what appears to be spam from what appear to be
written in Russian and I have no clue has to how to stop the messages.
Could you send the full headers of one of the E-mails? The actual foreign
language
in Moscow: 1-0-5-5-1-8-6
-Original Message-
From: Colbeck, Andrew
Sent: Thursday, September 18, 2003 10:09 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] Foreign language Spam Mail
Who has had any luck in trapping spam written in a foreign language. I
seem to be getting what
Title: Message
According to
external DNS, you only have one mail host.
For starters, you
can whitelist your own IP. And if that server is the only machine of yours
that is going to identify itself as wcnet.net,
HELO20
ENDSWITH wcnet.net
should do nicely
until someone called
Title: Message
I should
add:
If you want to go
the extra mile and say:
MAILFROM 20
ENDSWITH wcnet.net
Then you'll find
that works great against spammers who fake their mailfrom address so it looks
your own name (or say, [EMAIL PROTECTED] while trying to send
to you!), but:
You'll also
Title: Message
(sigh) Again I'm
the voice of dissent... I find that CBL merits no higher than a weight
of5out of my HOLD weight of 20. I find that it includes a lot
of ISP mail servers thatget used by spammers. They do seem to work
at removing them, but meanwhile, it's throwing the baby out
Well, it's important to remember that SpamCop is user-driven.
The man behind it, Julian Haight, and his Spam Cop deputies focus on parsing
the messages well, holding off the DoS attacks, juggling the expiry and the
weight of the IP subnet based on reports, and getting the right abuse
addresses
Title: Message
Two major
Canadian ISPs, and ComCast.net are common enough. True, true, it is far
more common for dial-up type accounts to spam through proxies, open relays, or
directly to their recipients, but it does happen, and too often. It used
to becommon, but ISPs have generally wised
Title: Message
Browsing for low
total weights through the 638 messageswhich triggered CBL so
fartodayI'm not seeing anyobvious errors, mostly very high
total weights.
Two that I've
definitely seen before were mail servers for comcast.net and bizmailsrvs.net
(Verizon - no angel), which
For what it's worth, I use TextPad from the eponymous .com website, which
behaves the same way as has been remarked for UltraEdit. TextPad seems to
be a more rounded tool, whereas UltraEdit seems to lean towards widgets for
programmers.
Andrew 8)
-Original Message-
From: Bud Durland
Paul, I've seen a few today. From literally all over the world,
spamvertising a website in China with a disposable name.
aa
gg
kk
ll
nn
I found that the various following tests were good enough to catch all of
the ones we received, and are typical of the tests that were triggered. You
http://fabel.dk/relay/test/
Now returns a farewell page. It looks like only the tester is gone, and
that the ip4r lookup still works, e.g.
nslookup 2.0.0.127.spamsources.fabel.dk
Non-authoritative answer:
Name:2.0.0.127.spamsources.fabel.dk
Address: 127.0.0.2
I don't use FABELSOURCES so
Title: Message
The only spam
I've seen from Yahoo! Groups have all been due to Joe Job type signups
forstrange groups, likely as a spammer "fighting back". I don't know
enough about their opt-in/sign up procedure to know how that was
done.
Andrew
8(
-Original Message-From:
Another 2 cents...
I see all too often that mail comes (and goes out) to hosts pointed to by MX
records that are not the lowest. Either some SMTP servers take the value of
the MX record as a *suggestion*, or their DNS is broken, and take the first
MX listed, regardless of the value.
I suspect
(Whups! My bad, whitelist anywhere is right there in black and white in
the current online manual.)
If you use this directive in your .cfg file:
PREWHITELIST ON
then you get short-circuit evaluation, and a WHITELISTed message will get
processed a little faster than it otherwise would.
Without
Ok, Joshie, I'll bite. You received a NXDOMAIN response when querying for a
.com TLD, which means...
Verisign is no longer hijacking, I mean wildcarding, all non-existent .com
and .net domains to 64.94.110.11
The VERISCAM test is now useless.
-Original Message-
From: Joshua Levitsky
1 - 100 of 646 matches
Mail list logo