BTW, actually two of those three headers are from the same company.
You can also easily identify this spam company with a filter for the
following unique code which might be safer than the other technique
(though, only slightly more so):
HEADERS 0 CONTAINS X-JLH:
Be sure to include a space after the colon just to be safe. You might
want to pack this together with the others just in case he stops using
the @b. technique, but still, knowing the IP's would be the best.
Matt
Matthew Bramble wrote:
Andy,
I tried sending this twice, but I think Scott's server blocked it
because of the content in the headers, so the headers are attached as a
zip this time. Your global.cfg would have something like the following
and the adjusted filter file is in the original reply pasted below
(name the filter whatever you wish).
[EMAIL PROTECTED] filter C:\IMail\Declude\Filters\[EMAIL PROTECTED]
x 5
0
Then the original reply (adjusted a little)...
Matt
Actually, I think this one is in the format of
[EMAIL PROTECTED],
so the filter
would need to be:
MAILFROM 0 CONTAINS [EMAIL PROTECTED]
MAILFROM 0 CONTAINS [EMAIL PROTECTED]
MAILFROM 0 CONTAINS [EMAIL PROTECTED]
MAILFROM 0 CONTAINS [EMAIL PROTECTED]
MAILFROM 0 CONTAINS [EMAIL PROTECTED]
MAILFROM 0 CONTAINS [EMAIL PROTECTED]
MAILFROM 0 CONTAINS [EMAIL PROTECTED]
MAILFROM 0 CONTAINS [EMAIL PROTECTED]
MAILFROM 0 CONTAINS [EMAIL PROTECTED]
MAILFROM 0 CONTAINS [EMAIL PROTECTED]
I put a number before the domain because it appears that this spammer
uses VERP and the pattern always has a number before the "@b." so this
will help protect from false positives. I just wouldn't necessaarily
kill it for just this one thing, and I don't think you have to because
this stuff isn't getting through my server, so it's picking up points
from RBL's and other things.
I've seen this stuff coming through my own machine and noted it because
of the question earlier. I fear that the pattern is only temporary,
but if I'm not mistaken, this is from one of the contest type of
spammers with a set group of IP's that they send out from. You could
more effectively search for hits and take the IP addresses out and then
filter for those as long-term prevention in the event that this pattern
fails (which I expect it will). Bill could probably grep that info
from his logs in seconds :) Be sure to share if you do. I wouldn't
bother with the domain names because they seem to be very temporary.
Here are three such headers from this spammer, and all of the domain
names were registered recently through pairNIC.com,
http://whois.pairnic.com/
Matt
andyb wrote:
So, the line
MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0
should have 2 x's because of the 2 tiered weighting system I'm using?
Thanks,
Andy
----- Original Message -----
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 05, 2003 7:13 PM
Subject: Re: [Declude.JunkMail] one more try...
to be sure, the syntax would be:
in Global.cfg:
MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0
In myfilter.txt:
MAILFROM 5 STARTSWITH b.
That would work fine.
Isn't this adding the weight of 5 twice? I'd like it to only be added
once.
Yes, that would add the weight twice. The total weight for the test is a
combination of the general weight for the test (the "5" in the "MYFILTER
filter" line) plus the weight for each line that matches (the "MAILFROM 5"
line).
In this case, you might instead want to use:
MAILFROM 0 STARTSWITH b.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
|
