|
Attached are a couple of scripts (and sample
output) that can be used, if using log level MID or higher, to output the
"From" e-mail address and sending IP address (first script), or output just the
sending IP addresses, listed by count (second script).
HTH,
Bill
----- Original Message -----
Sent: Wednesday, November 05, 2003 6:21
PM
Subject: Re: [Declude.JunkMail] one more
try...
Andy,
I tried sending this twice, but I think Scott's
server blocked it because of the content in the headers, so the headers are
attached as a zip this time. Your global.cfg would have something like
the following and the adjusted filter file is in the original reply pasted
below (name the filter whatever you wish).
[EMAIL PROTECTED]
filter C:\IMail\Declude\Filters\[EMAIL PROTECTED]
x 5 0
Then the original reply (adjusted a
little)...
Matt
Actually, I think this one is in the format
of [EMAIL PROTECTED],
so the filter would need to be:
MAILFROM 0
CONTAINS [EMAIL PROTECTED]
MAILFROM 0
CONTAINS [EMAIL PROTECTED]
MAILFROM 0
CONTAINS [EMAIL PROTECTED]
MAILFROM 0
CONTAINS [EMAIL PROTECTED]
MAILFROM 0
CONTAINS [EMAIL PROTECTED]
MAILFROM 0
CONTAINS [EMAIL PROTECTED]
MAILFROM 0
CONTAINS [EMAIL PROTECTED]
MAILFROM 0
CONTAINS [EMAIL PROTECTED]
MAILFROM 0
CONTAINS [EMAIL PROTECTED]
MAILFROM 0
CONTAINS [EMAIL PROTECTED]
I put a number before the domain because it
appears that this spammer uses VERP and the pattern always has a number before
the "@b." so this will help protect from false positives. I just
wouldn't necessaarily kill it for just this one thing, and I don't think you
have to because this stuff isn't getting through my server, so it's picking up
points from RBL's and other things.
I've seen this stuff coming through
my own machine and noted it because of the question earlier. I fear that
the pattern is only temporary, but if I'm not mistaken, this is from one of
the contest type of spammers with a set group of IP's that they send out
from. You could more effectively search for hits and take the IP
addresses out and then filter for those as long-term prevention in the event
that this pattern fails (which I expect it will). Bill could probably
grep that info from his logs in seconds :) Be sure to share if you
do. I wouldn't bother with the domain names because they seem to be very
temporary.
Here are three such headers from this spammer, and all of
the domain names were registered recently through pairNIC.com, http://whois.pairnic.com/
Matt
andyb
wrote:
So, the line
MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0
should have 2 x's because of the 2 tiered weighting system I'm using?
Thanks,
Andy
----- Original Message -----
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 05, 2003 7:13 PM
Subject: Re: [Declude.JunkMail] one more try...
to be sure, the syntax would be:
in Global.cfg:
MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0
In myfilter.txt:
MAILFROM 5 STARTSWITH b.
That would work fine.
Isn't this adding the weight of 5 twice? I'd like it to only be added
once.
Yes, that would add the weight twice. The total weight for the test is a
combination of the general weight for the test (the "5" in the "MYFILTER
filter" line) plus the weight for each line that matches (the "MAILFROM 5"
line).
In this case, you might instead want to use:
MAILFROM 0 STARTSWITH b.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
===================================================
Matthew S. Bramble
President and Technical Coordinator
iGaia Incorporated, Operator of NYcars.com
---------------------------------------------------
Office Phone: (518) 862-9042
Cellular: (518) 229-3375
Fax: (518) 862-9044
E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED]
===================================================
|
grep.zip