Chuck, and others, Maybe you should consider splitting your spamdomain file to multiple files with different weights
While messages from yahoo, msn and Co. could have many FP's as users are connecting from everwhere you shouldn't see any message from other tipical spamdomains (like citibank) not matching the spamdomain-rule. Someone (Scott Fisher?) has a great list of spamdomains categorized in SD-STRONG SD-LOW SD-PISH ... SD-PISH on my server has a spam-accuracy of 100% (no false positives) in over 360.000 processed messages. Here's the list of domains for SD-PISH: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @paypal.com .paypal. @ebay.com .ebay. .ebay.com .emailebay.com citibank.com .ssmb.com commercebank.com .psmtp.com fleet.com .bkb.com @usbank.com .usbank.com wellsfargo.com .norwest.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Markus > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick > Sent: Tuesday, October 05, 2004 6:07 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Citibank - phishing- still live > > > > Unfortunately spamdomains is a test that has a lot of false > positives and there is not real solid list of spamdomains. > Because of that we have to weight spamdomains low, so I could > never say that users would not see such an email because of > spam domains alone. On the other hand I can give a very high > weight to urls contained in the body of an email and will > have almost no false positives. Just my thoughts on the matter. > > Chuck Schick > Warp 8, Inc. > (303)-421-5140 > www.warp8.com > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser > Sent: Tuesday, October 05, 2004 9:14 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Citibank - phishing- still live > > > Whether I classify them as spam or not, I don't post every > spam that I receive to this list. > > My point is that if you are blocking phish based on > individual URLs I think you are not doing it in the most > efficient way. Simply adding... > > @ameritrade.com .ameritrade.com > @citi.com .citibank.com > @citibank.com .citibank.com > @ebay.com .ebay.com > @fleet.com .fleet.com > .gs.com > @paypal.com .paypal.com > @suntrust.com .suntrust.com > @visa.com .visa.com > @wellsfargo.com .wellsfargo.com > > to the text file which maps to my Spamdomains test keeps all > of the phish away from my users since none of these messages > every originate from the proper domains. > > Dan > > ----- Original Message ----- > From: "Bill Landry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, October 05, 2004 10:58 AM > Subject: Re: [Declude.JunkMail] Citibank - phishing- still live > > > > Where else would you suggest they be posted, after all, phishing > > e-mail > are > > spam in my book. However, with that said, more and more > virus vendors > > are starting to add phishing e-mail recognition to their virus > > definitions. Both uvscan (NAI/McAfee) and the latest release > > candidates for ClamAV support phishing e-mail detection. > > > > Bill > > ----- Original Message ----- > > From: "Dan Geiser" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, October 05, 2004 4:22 AM > > Subject: Re: [Declude.JunkMail] Citibank - phishing- still live > > > > > > Can I ask why you guys post these to the Declude JunkMail > discussion > > list? It doesn't seem to have anything to do with the > subject matter > > of this list. > > > > ----- Original Message ----- > > From: Kami Razvan <mailto:[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > Sent: Tuesday, October 05, 2004 6:56 AM > > Subject: [Declude.JunkMail] Citibank - phishing- still live > > > > Hi; > > the following is another phishing attempt- the site still live. > > > > http://211.158.34.250/citifi/ <http://211.158.34.250/citifi/> > > > > Regards, > > Kami > > > > > > ==== Email > > > > Subject: [37~]Dear customer your details have been compromised > > MIME-Version: 1.0 (produced by annunciatemarginalia 8.2) > > Content-Type: multipart/alternative; > boundary="--938071008627732911" > > X-RBL-Warning: IPNOTINMX: > > X-RBL-Warning: NOLEGITCONTENT: No content unique to > legitimate E-mail > > detected. > > X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. > > X-RBL-Warning: NJABL-DYNA: "Dynamic/Residential IP range > listed by NJABL > > dynablock - http://njabl.org/dynablock.html > > <http://njabl.org/dynablock.html> " > > X-RBL-Warning: NJABL-DUL: This E-mail came from 12.107.246.11, a > > potential spam source listed in NJABL-DUL. > > X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> " > > X-RBL-Warning: SORBS-DUL: "Dynamic IP Address See: > > http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11 > > <http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11> " > > X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line > 198, weight > > 13) > > X-Declude-Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > [12.107.246.11] > > X-Declude-Spoolname: D26691b0502409fba.SMD > > X-Note: > > ================================================================== > > X-Note: Spam Score: 37 [BLOCKED ON 20+ & DELETED ON 40+] > > X-Note: Scan Time: 00:43:47 on 05 Oct 2004 > > X-Note: Spool File: D26691b0502409fba.SMD > > X-Note: Server Name: dialup-12-107-246-11.dtccom.net > > X-Note: SMTP Sender: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > X-Note: Reverse DNS & IP: dialup-12-107-246-11.dtccom.net > > [12.107.246.11] > > X-Note: Country Chain: UNITED STATES->destination > > > > > > ----938071008627732911 > > Content-Type: text/plain; > > charset="iso-2059-6" > > Content-Transfer-Encoding: quoted-printable > > Content-Description: nicholson salmonberry biblical > > > > Dear Customer: > > > > Recently there have been a large number of cyber attacks > pointing our > > data= > > base servers. In order to safeguard your account, we > require you to sign > > o= > > n immediately. > > > > This personal check is requested of you as a precautionary > measure and > > to = > > ensure yourselves that everything is normal with your balance and > > personal= > > information. > > > > This process is mandatory, and if you did not sign on > within the nearest > > t= > > ime your account may be subject to temporary suspension. > > > > Please make sure you have your Citibank(R) debit card > number and your > > User= > > ID and Password at hand. > > > > Please use our secure counter server to indicate that you > have signed > > on, = > > please click the link bellow: > > > > http://211.158.34.250/citifi/ <http://211.158.34.250/citifi/> > > > > !! Note that we have no particular indications that your > details have > > been= > > compromised in any way. > > > > Thank you for your prompt attention to this matter and thank you for > > using= > > Citibank(R) > > > > Regards, > > > > Citibank(R) Card Department > > > > (C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., > > Citibank (West), FSB. Member FDIC.Citibank and Arc > > Design is a registered service mark of Citicorp. > > > > ----938071008627732911-- > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > -------------------------------------------------------------- > --------- > > Sign up for virus-free and spam-free e-mail with Nexus > Technology Group > > http://www.nexustechgroup.com/mailscan > > > > > > > -------------------------------------------------------------- > --------- > Sign up for virus-free and spam-free e-mail with Nexus > Technology Group > http://www.nexustechgroup.com/mailscan > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
