Re: [Declude.JunkMail] some spam slipping through...

Mon, 10 Nov 2003 21:38:42 -0800

Scot,

The dictionary randomization is obviously a better system and won't get tagged by many of my tests.  The DYNAMIC filter would have scored this one though, as well as some others.  It would be a good idea to look at adding canada.com to SPAMDOMAINS if you can find the standard reverse DNS entries for their service (please share the info if you do find it so that I can add it too).  This type of spam will mostly use domains appropriate for SPAMDOMAINS, which makes it a great test if you have the entries.  I recommend configuring SPAMDOMAINS in the following format:

    @aol.com      aol.com

I score my DYNAMIC filter at a 3, and it is over 98% positive on spam of this type since it likely comes from broadband zombie machines.  That would have been enough to fail this message on your system.  Considering that you have seen the URL several times, Message Sniffer might have it listed, and SPAMCOP has now added the IP as well.

Attached is a more current version of DYNAMIC.  This is definitely better than what was previously shared since I excluded some business-class providers from scoring points by way of negative weight.  In addition to this custom filter, there are recommendations for which DUL lists to add and the relative scoring.  That IP also scores a hit for EASYNET-DYNA, which adds another 4 points in my configuration.

If that message missed all of the non-DUL type of RBL's, and without any effective body filtering or SPAMDOMAINS hits would have still scored as follows on my system:

    4 - EASYNET-DYNA
    3 - DYNAMIC
    3 - FOREIGN
    1 - NOABUSE
    1 - NOPOSTMASTER
    =============================
    12 Points Total (fails at 10)

Make sure that you customize the appropriate lines in the DYNAMIC filter for your own local domains and reverse DNS entries so it won't add points to to that type of E-mail (will miss some forged spam, but it is necessary).

Matt



Scot Desort wrote:
Matt:

  
The FOREIGN/TLD filter set that I shared yesterday for instance would
have added at least 3 points to this message and possibly two more
depending on the X-Declude-Sender which you cut out.
    

I saw your post and I have not yet added that filter. I will be reviewing it
shortly and plan on adding it tomorrow

  
 This type of spam
also tends to randomize the From, HELO and MAILFROM addresses, and/or
use common domains like aol.com or yahoo.com, in which case some points
from a SPAMDOMAINS test would be effective.
    

No, passed through spamdomains without being tagged.

  
The body often has
gibberish in it, if not the subject, and the my GIBBERISH filters work
for that, or they use obfuscation to hide URL's from filtering software
which can also be caught without keeping track of the URL's themselves.
    

No. Your GIBBERISH filter did not get triggered either. I am using your
latest release.

  
This spam is also commonly sent from zombie machines resulting from
virus infections, and they are often on residential broadband networks,
in which case my DYNAMIC filter might add some points (but not in this
case).
    

 I don't recall seeing your DYNAMIC filter before. Would you mind reposting,
or is it on your site?

  Message Sniffer also might be tracking the URL's in the body for
  
another potential hit.
    

I am still experimenting with Sniffer. Maybe it would have added some
points.

  
Maybe if you shared the entirety of the message body plus the MAILFROM,
I and others could tell you what common used/shared filters might be
effective.
    

OK. Here's another with headers and message body in tact. This one also did
not trigger gibberish, obfuscation, comments, or spamdomains:

X-F: <[EMAIL PROTECTED]> Mon Nov 10 20:36:46 2003
Received: from 68-232-53-222.atlsfl.adelphia.net [68.232.53.222] by
njaccess.com
  (SMTPD32-6.06) id AD2BB120124; Mon, 10 Nov 2003 20:36:43 -0500
Received: from 80.80.226.90 by 68.232.53.222; Mon, 10 Nov 2003 19:31:08
+0600
Message-ID: <[EMAIL PROTECTED]>
From: "Isaac" <[EMAIL PROTECTED]>
Reply-To: "Isaac" <[EMAIL PROTECTED]>
To:  [EMAIL PROTECTED]
Subject: Re: %RND_UC_CHAR[2-8], excuse me!' boldly
Date: Mon, 10 Nov 2003 08:35:08 -0500
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--2352250528194467"
X-Priority: 1
X-MSMail-Priority: High
X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED]
X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED]
X-Warn: This message contains content that is likely spam Message failed
SPAMCHK: 4.
X-Declude-Sender: [EMAIL PROTECTED] [68.232.53.222]
X-Declude-Spoolname: D3d2b124.SMD
X-SpamWatch-Tests-Failed: NOABUSE, NOPOSTMASTER, IPNOTINMX, NOLEGITCONTENT,
SPAMCHK [7]
X-SpamWatch-Country-Chain: SWITZERLAND->[ARIN Unlisted]->destination
X-SpamWatch-ReverseLookUp: 68-232-53-222.atlsfl.adelphia.net
([68.232.53.222]).
X-RCPT-TO: <[EMAIL PROTECTED]>
X-UIDL: 362076711
Status: U

----2352250528194467
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-12=
51">
<META content=3D"MSHTML 6.00.2800.1141" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<font color=3D"white">douse henri deliver dewitt elk jetliner bed macropha=
ge demented characteristic curtsey superlunary decouple bergen
committing=20=
</font>
<body>
</font>
  <p>O</shipman>ur U</btl>S Li</lourdes>censed Doc</saccharine>tors wi</pr=
ey>ll<BR>
Prescr</helpful>ibes Y</before>our Me</dirt>dication F</beijing>or F</book=
end>ree
</FONT>
  <p>  Medicatio</bloke>ns&nbsp; Shi</pliable>pped Overni</witness>ght To =
Y</vestal>our Do</paramus>or.<BR>
  Phe</fern>ntermine, Ad</woodward>ipex Soma</taunt>, Fi</hifalutin>oriice=
t, U</fetid>lltram,<BR>
, Vi</ware>agra, a</meteor>nd ma</deceitful>ny, m</gainesville>any oth</lo=
bo>ers.<BR>
Me</barbara>ds f</vhf>or: Weig</doorbell>ht Los</pierce>s, Pa</congress>in=
 Re</borneo>lief, Mus</ackerman>clePain Re</bodied>lief, Wo</fusty>men's H=
ea</equitation>lth, Me</cloakroom>n's<BR>
Hea</blueback>lth, I</armful>mpotence, A</masonic>llergy Re</cairn>lief, H=
</dodecahedral>eartburn Re</eloquent>lief, Mig</assay>raine R</gnat>elief =
&amp; M</steinberg>ORE<BR>
Up</chicano>on Appr</becalm>oval</FONT>&nbsp;
<a href="" class="moz-txt-link-rfc2396E" href="http://www.pouvrcentral.biz/vpr6232/">"http://www.pouvrcentral.biz/vpr6232/">sho</conceive>w
M</flanagan>e mo</footpad>re</a>
<p><img border=3D"0" src="" class="moz-txt-link-rfc2396E" href="http://www.creditcard2003.com/p3x.jpg">"http://www.creditcard2003.com/p3x.jpg"></p>
<br>
<br>
fib darn saracen hellenic ancestral butane dan gator gallonage talus appre=
hension forgive=20
</BODY>
</HTML>

----2352250528194467--



Thanks,

Scot

Attachment: Dynamic_11-05-2003.zip
Description: Zip compressed data

Reply via email to