Thanks, Pete and Scott.
As always, Pete, that change worked as advertised. I've put in a slight
tweak as well as Scott's AOL suggestion, I pre-pended a period to
qualify the domains tighter (I also left in the examples, that's my own
practice for self-documentation)
<source>
<!-- <header name='X-Use-This-Source:' received='mixedsource.com
[' ordinal='0' /> -->
<!-- <header name='X-Originating-IP:' received='hotmail.com ['
ordinal='0' /> -->
<header name='X-Originating-IP:' received='.hotmail.com ['
ordinal='0' />
<header name='X-AOL-IP:' received='.aol.com [' ordinal='0' />
</source>
I sent myself three messages from my own Hotmail account, and then
checked my own firewall's IP address in my local GBU:
CD \messagesniffer
SNFClient.exe -test 1.2.3.4
GBUdb Record for 1.2.3.4
Type Flag: ugly
Bad Count: 0
Good Count: 3
Probability: -1
Confidence: 0.113212
Range: normal
Code: 0
Hopefully, others will choose to also pay in to the system, and
regardless, I'll see less Hotmail and AOL spam from known zombie IP
addresses!
Andrew 8)
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Scott Fisher
Sent: Monday, December 06, 2010 1:18 PM
To: [email protected]
Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo
and other free account blacklisted servers
I made this change immediately. Like Andrew I've always wondered why the
Hotmail header hasn't been targeted by someone.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Pete
McNeil
Sent: Monday, December 06, 2010 2:31 PM
To: [email protected]
Subject: Re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo
and
other free account blacklisted servers
On 12/6/2010 2:47 PM, Colbeck, Andrew wrote:
> I have the same position as Scott.
>
> I find that the MessageSniffer product from ARM Research is the most
reliable test
<snip/>
> Hotmail in particular would be less effective for the bad guys if I
had an
antispam tool that would determine from the headers that the sender was
from
Hotmail (or others) and then check the
>
> X-Originating-IP: [111.222.333.444]
<snip/>
> I've suggested it before but vendors are, quite reasonably, leery of
building into their product a feature that is specific to a few
providers
while being prone to false positives.
Actually, if I may, Message Sniffer has precisely that feature built
into GBUdb training.
Specifically, you can tell Message Sniffer to identify the source IP for
the message based on the presence of a specific header. This feature was
designed specifically for hotmail and other systems that provide a
source IP for one reason or another -- (perhaps complex internal
routing).
For configuration information see:
http://www.armresearch.com/support/articles/software/snfServer/config/no
de/g
budb/training/source.jsp
http://www.armresearch.com/support/articles/software/snfServer/config/no
de/g
budb/training/source-header.jsp
If you configure this training mechanism for GBUdb in your Message
Sniffer engine then GBUdb will become much more accurate for messages
coming through that source.
Best,
_M
--
Pete McNeil, President
MicroNeil Research Corporation
www.microneil.com
703.779.4909
x7010
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [email protected], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [email protected], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
We are pleased to announce that Bentall LP and Kennedy Associates Real Estate
Counsel, LP joined forces on December 1, 2010. To learn more, visit:
www.bentallkennedy.com
Nous avons le plaisir de vous annoncer que Bentall LP et Kennedy Associates
Real Estate Counsel LP se sont associees le 1er decembre 2010. Pour en savoir
plus, rendez-vous a www.bentallkennedy.com
This message (and any associated files) may contain confidential, proprietary
and/or privileged material and access to these materials by anyone other than
the intended recipient is unauthorized. Unauthorized recipients are required to
maintain confidentiality. Any review, retransmission, dissemination or other
use of these materials by persons or entities other than the intended recipient
is prohibited and may be unlawful. If you have received this message in error,
please notify us immediately and destroy the original.
Ce message et tout document qui y est eventuellement joint peuvent contenir de
l'information confidentielle ou exclusive. L'acces a cette information par
quiconque autre que le destinataire designe en est donc interdit. Les personnes
ou les entites non autorisees doivent respecter la confidentialite de cette
information. La lecture, la retransmission, la communication ou toute autre
utilisation de cette information par une personne ou une entite non autorisee
est strictement interdite. Si vous avez recu ce message par erreur, veuillez
nous en aviser immediatement et le detruire.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [email protected], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
