Re: [Declude.JunkMail] How do you handle held messages??

[Matthew Bramble]

I notice an increase in held E-mail whenever the crud spammers are more 
active.  It's hard to score these guys very high when a campaign first 
starts.  I would try finding their URL's and black list those, but only 
when attached to crud spam, and since they are short-lived, you can 
delete the entries after only a few months.  The problem here is that 
they tend to switch out URL's every few days with this type of spam 
(pills, patches, etc.)  This stuff comes from zombie machines and while 
it's somewhat easy to catch with generic filters, it's difficult to 
score high if they find a clean IP that hasn't been listed in SpamCop 
and others.

Another issue is that the spammers with static IP's will move around to 
different blocks and even when the spammer is listed in SBL, they will 
have plenty of addresses that aren't and can score low or even get past 
filters.  Knowing the address space of this type of spammer is useful.  
Check your held E-mail for the following blocks of IP's for instance:

   64.124.165.0/25 [64.124.165.0] - [64.124.165.127]
   64.124.165.128/26 [64.124.165.128] - [64.124.165.191]
   64.124.165.192/27 [64.124.165.192] - [64.124.165.223]
   64.125.181.0/24 [64.125.181.0] - [64.125.181.255]
   208.184.54.0/25 [208.184.54.0] - [208.184.54.127]
   208.184.58.0/25 [208.184.58.0] - [208.184.58.127]
   209.249.21.128/25 [209.249.21.128] - [209.249.21.255]
   209.249.55.128/25 [209.249.55.128] - [209.249.55.255]
   216.200.60.16/28 [216.200.60.16] - [216.200.60.31]
   216.200.60.32/27 [216.200.60.32] - [216.200.60.63]
   216.200.60.64/26 [216.200.60.64] - [216.200.60.127]
This is all one guy, and it's probably only half of his IP space if 
that.  It would be nice if someday we could come up with a trusted 
system to gather this information and share it among admins, but limit 
it to only clear and obvious static IP addresses that are used by spam 
gangs (the SBL type).

In the meantime, you might be able to greatly lessen your workload by 
targeting this stuff with specific filters.  The stuff above is quite 
safe to delete, at least for the time being.

Matt





Chuck Schick wrote:

We are an ISP and we host a lot of domains so our mail volume is healthy.
We hold at 10 and delete at 20.  We also have our in-house blacklist that
automatically deletes any mail from certain domains.  Of the incoming spam
messages we are deleting about 80% but that still leaves several thousand
messages per day that are held.  Presently we go through the held messages
using spamreview - returning the false positives to the spool.  As the spam
has been going up - so have the messages in the held folder so this is
starting to become labor intensive.
I just wanted to query the list to see if I am missing something that would
streamline the process.  And yes we are tweaking to reduce the false
positives.
Chuck Schick
Warp 8, Inc.
303-421-5140
www.warp8.com
 



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.