Re: [Declude.JunkMail] Interesting concept..

Tue, 20 Jan 2004 10:36:49 -0800

Funny how these companies have 100 different names :) I think I've shared these before, but here's some lines that work on Green Horse Corporation:

NOTE: replace $ with a dot (changed not to trip some filters).

# Green Horse Corporation (SBL12495)
BODY        28    CONTAINS    /img/c$0/
BODY        28    CONTAINS    /img/o$0/
BODY        28    CONTAINS    /img/v$0/
BODY        3    CONTAINS    http://t$
BODY        8    CONTAINS    mailserver$com/

Also, I've done some pattern matching on the banned c-d guy that can't sell (also cable, travel and other crud sent from zombies).

# Korean Dictionary Spammer that Can't Spell
HEADERS        8    CONTAINS    .comIP with HTTP;
HEADERS        8    CONTAINS    .netIP with HTTP;
HEADERS        8    CONTAINS    .orgIP with HTTP;
HEADERS        5    CONTAINS    x-mailer: mpop web-mail 2.19

Note that mPOP is a real mailer, however it is Korean made and I've only seen legit use in Google searches from Asian and Russian senders, and legitimate use is very low. The header matches are an error in the code that appears to be exclusive to his software, though I'm not sure. This should allow you to tag the guy regardless of the domain that he uses (which changes every week or so).

Matt



Marc Hilliker wrote:

Kami,

Maybe you already know this but just in case you or others don't,
mailserveruser.com is a domain that belongs to Green Horse Corporation (aka
atriks.com). There is quite a list of domains (60+?) that this group of scum
own. I made a filter looking for those domains in the body of the email and
it catches a good number daily.

For more info see:
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495


- Marc

----- Original Message -----
From: Kami Razvan
To: [EMAIL PROTECTED]
Sent: Tuesday, January 20, 2004 7:19 AM
Subject: [Declude.JunkMail] Interesting concept..


I guess this qualifies as things that make you go hmmmm...

http://www.mailserveruser.com/email_deployment.html


Regards,
Kami

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to