Re: [Declude.JunkMail] whitelisted

[Matt]

On the subject of Habeas, here's an example of Topica abusing Habeas :) http://groups.google.com/groups?q=tpca.net+group:*abuse*&hl=en&lr=&ie=UTF-8&scoring=d&selm=20030313204242.A16152AA1D%40earl-grey.cloud9.net&rnum=4 Note that this block was identified by Topica as being used exclusively for Yahoo! News mailings, however it appears to only be spam now.  They encourage people to whitelist certain parts of their IP address space, only to turn around and start spamming from them.  Another nice evidence file: http://www.dolphinwave.org/spam/topica.com.txt They do this game to avoid blocking.  They also actively listwash instead of removing list owners that spam from the primary Topica servers. Matt Bill wrote: I received 13 of these today in my personal e-mail. I changed Habeas from whitelist to weight -5 and it seems to have fixed the problem. Don't know yet if non spam is getting blocked but I doubt it. Here is a log entry after change (weight was 36 even with the -5): 01/13/2004 11:09:12 Q26340f0201364351 HABEAS:-5 AHBL:6 CBL:4 DSBL:6 SORBS-SOCKS:5 SORBS-DUHL:4 SPAMCOP:7 SNIFFER2:9 . Total weight = 36. 01/13/2004 11:09:12 Q26340f0201364351 Msg failed HABEAS (). Action="" 01/13/2004 11:09:12 Q26340f0201364351 Msg failed AHBL ("Open Proxy - http://www.ahbl.org/tools/lookup.php?ip=68.57.145.231"). Action="" 01/13/2004 11:09:12 Q26340f0201364351 Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.57.145.231"). Action="" 01/13/2004 11:09:12 Q26340f0201364351 Msg failed DSBL ("http://dsbl.org/listing?ip=68.57.145.231"). Action="" 01/13/2004 11:09:12 Q26340f0201364351 Msg failed SORBS-SOCKS ("Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=68.57.145.231"). Action="" 01/13/2004 11:09:12 Q26340f0201364351 Msg failed SORBS-DUHL ("Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=68.57.145.231"). Action="" 01/13/2004 11:09:12 Q26340f0201364351 Msg failed SPAMCOP ("Blocked - see http://www.spamcop.net/bl.shtml?68.57.145.231"). Action="" 01/13/2004 11:09:12 Q26340f0201364351 Msg failed WEIGHT10 (Weight of 36 reaches or exceeds the limit of 10.). Action="" 01/13/2004 11:09:12 Q26340f0201364351 Msg failed WEIGHT15 (Weight of 36 reaches or exceeds the limit of 15.). ction=IGNORE. 01/13/2004 11:09:12 Q26340f0201364351 Msg failed WEIGHT20 (Weight of 36 reaches or exceeds the limit of 20.). Action="" 01/13/2004 11:09:12 Q26340f0201364351 Msg failed SNIFFER2 (Message failed SNIFFER2: 52.). Action="" 01/13/2004 11:09:12 Q26340f0201364351 Subject: Got Pills?Valï(u)m, V|@gra, X(a)[EMAIL PROTECTED], S0ma Di3t Pills Many M3ds brEWTRhNhf 01/13/2004 11:09:12 Q26340f0201364351 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 68.57.145.231 ID: Here is the change in Global.cfg: #WHITELIST HABEAS HABEAS habeas x x -5 0 Bill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of andyb Sent: Tuesday, January 13, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] whitelisted HI, I'm getting spam, and it is being whitelisted because of HABEAS... Here are the headers. These emails are definately spam. Looks like HABEAS has been compromised? Comments Please. thanks, Andy Received: from cs78191007.pp.htv.fi [62.78.191.7] by thumpernet.com (SMTPD32-6.06) id A0E113013E; Tue, 13 Jan 2004 12:54:41 -0500 Received: from 240.80.76.18 by 81.218.114.4; Tue, 13 Jan 2004 03:42:04 -0200 Message-ID: <[EMAIL PROTECTED]> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>. From: "Blaine Shaffer" <[EMAIL PROTECTED]> Reply-To: "Blaine Shaffer" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: GOT Valï(u)m, Viagr@, X(a)[EMAIL PROTECTED], Som@ Di3t Pills Many M3ds Y5iov Date: Tue, 13 Jan 2004 04:49:04 -0100 X-Mailer: NetJunction (NetJunction 5.0-p1)/MIME MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--891940459175399" X-Priority: 5 X-Declude-Sender: [EMAIL PROTECTED] [62.78.191.7] X-RBL-Warning: Total weight: 0 X-Note: Total spam weight of this E-mail is 0. X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: Whitelisted [0] X-RCPT-TO: <[EMAIL PROTECTED]> X-UIDL: 370486507 Status: U --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================