I agree. While a body filter may not be the most EFFICIENT way, it is definitely the most EFFECTIVE way. Like Chuck, I can't weight SpamDomains high enough to hold, and even if I could, what if the message gets negative points from something else like spamchk. With a separate body filter that I can HOLD or even DELETE on, I don't have to worry about one of them slipping in under the radar. That said, yes, I think Kami's posts are very proper for the list, as it helps me build my filter. Just like when spamdomains first came out and everyone was posting new lines for that file as they found them.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Tuesday, October 05, 2004 12:07 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Citibank - phishing- still live Unfortunately spamdomains is a test that has a lot of false positives and there is not real solid list of spamdomains. Because of that we have to weight spamdomains low, so I could never say that users would not see such an email because of spam domains alone. On the other hand I can give a very high weight to urls contained in the body of an email and will have almost no false positives. Just my thoughts on the matter. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, October 05, 2004 9:14 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Citibank - phishing- still live Whether I classify them as spam or not, I don't post every spam that I receive to this list. My point is that if you are blocking phish based on individual URLs I think you are not doing it in the most efficient way. Simply adding... @ameritrade.com .ameritrade.com @citi.com .citibank.com @citibank.com .citibank.com @ebay.com .ebay.com @fleet.com .fleet.com .gs.com @paypal.com .paypal.com @suntrust.com .suntrust.com @visa.com .visa.com @wellsfargo.com .wellsfargo.com to the text file which maps to my Spamdomains test keeps all of the phish away from my users since none of these messages every originate from the proper domains. Dan ----- Original Message ----- From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 05, 2004 10:58 AM Subject: Re: [Declude.JunkMail] Citibank - phishing- still live > Where else would you suggest they be posted, after all, phishing > e-mail are > spam in my book. However, with that said, more and more virus vendors > are starting to add phishing e-mail recognition to their virus > definitions. Both uvscan (NAI/McAfee) and the latest release > candidates for ClamAV support phishing e-mail detection. > > Bill > ----- Original Message ----- > From: "Dan Geiser" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, October 05, 2004 4:22 AM > Subject: Re: [Declude.JunkMail] Citibank - phishing- still live > > > Can I ask why you guys post these to the Declude JunkMail discussion > list? It doesn't seem to have anything to do with the subject matter > of this list. > > ----- Original Message ----- > From: Kami Razvan <mailto:[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > Sent: Tuesday, October 05, 2004 6:56 AM > Subject: [Declude.JunkMail] Citibank - phishing- still live > > Hi; > the following is another phishing attempt- the site still live. > > http://211.158.34.250/citifi/ <http://211.158.34.250/citifi/> > > Regards, > Kami > > > ==== Email > > Subject: [37~]Dear customer your details have been compromised > MIME-Version: 1.0 (produced by annunciatemarginalia 8.2) > Content-Type: multipart/alternative; boundary="--938071008627732911" > X-RBL-Warning: IPNOTINMX: > X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail > detected. > X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. > X-RBL-Warning: NJABL-DYNA: "Dynamic/Residential IP range listed by NJABL > dynablock - http://njabl.org/dynablock.html > <http://njabl.org/dynablock.html> " > X-RBL-Warning: NJABL-DUL: This E-mail came from 12.107.246.11, a > potential spam source listed in NJABL-DUL. > X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> " > X-RBL-Warning: SORBS-DUL: "Dynamic IP Address See: > http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11 > <http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11> " > X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 198, weight > 13) > X-Declude-Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > [12.107.246.11] > X-Declude-Spoolname: D26691b0502409fba.SMD > X-Note: > ================================================================== > X-Note: Spam Score: 37 [BLOCKED ON 20+ & DELETED ON 40+] > X-Note: Scan Time: 00:43:47 on 05 Oct 2004 > X-Note: Spool File: D26691b0502409fba.SMD > X-Note: Server Name: dialup-12-107-246-11.dtccom.net > X-Note: SMTP Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > X-Note: Reverse DNS & IP: dialup-12-107-246-11.dtccom.net > [12.107.246.11] > X-Note: Country Chain: UNITED STATES->destination > > > ----938071008627732911 > Content-Type: text/plain; > charset="iso-2059-6" > Content-Transfer-Encoding: quoted-printable > Content-Description: nicholson salmonberry biblical > > Dear Customer: > > Recently there have been a large number of cyber attacks pointing our > data= > base servers. In order to safeguard your account, we require you to sign > o= > n immediately. > > This personal check is requested of you as a precautionary measure and > to = > ensure yourselves that everything is normal with your balance and > personal= > information. > > This process is mandatory, and if you did not sign on within the nearest > t= > ime your account may be subject to temporary suspension. > > Please make sure you have your Citibank(R) debit card number and your > User= > ID and Password at hand. > > Please use our secure counter server to indicate that you have signed > on, = > please click the link bellow: > > http://211.158.34.250/citifi/ <http://211.158.34.250/citifi/> > > !! Note that we have no particular indications that your details have > been= > compromised in any way. > > Thank you for your prompt attention to this matter and thank you for > using= > Citibank(R) > > Regards, > > Citibank(R) Card Department > > (C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., > Citibank (West), FSB. Member FDIC.Citibank and Arc > Design is a registered service mark of Citicorp. > > ----938071008627732911-- > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > ----------------------------------------------------------------------- > Sign up for virus-free and spam-free e-mail with Nexus Technology Group > http://www.nexustechgroup.com/mailscan > > ----------------------------------------------------------------------- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
