Hi Everyone, I just purchased declude two days ago. I'm running Declude with message sniffer on a smartermail server. So far, it is working very well.
The approach that I have been trying to take is to, wherever possible, avoid creating a custom filter entry to trap a specific email. Below is an example of a spam email which slipped through this morning. I sanitized the mail headers so any reference to myserver or mydomain or myaddress is where I replaced our details in the headers. As you can see from the headers, there was very little wrong with this email that would enable us to score it high enough for it to be considered spam. I tag the subject at a score of 14. At the bottom of this message is the actual body of the html email. Obviously I could add a filter entry to look for "agnheqe3.com" and to delete or hold the message. The problem with that approach, in my opinion, is it never ends. If they have 1000 different domains that means a 1000 filter entries. I hate filtering to block a specific email and I would rather block based upon a pattern common to all spam. I am wondering if you have had any success on trapping emails like the one below? What would you add or change to have caught this message? The only thing I saw, that is common to spam, which I think I could filter on is the "/track?" in the URL. I've seen a lot of spam that triggers various ASP or PHP or other programs in the IMG SRC tag which enables a spammer to verify that the email was opened and read. What do you think? How can I tighten up my filtering to catch an email such as the one below? Do you guys forward spam to spamcop or other places to help with the RBLs? Thanks! Dave Return-Path: <[EMAIL PROTECTED]> Fri Sep 02 07:34:48 2005 Received: from sip.agnheqe3.com [206.131.238.29] by myserver.mydomain.com with SMTP; Fri, 2 Sep 2005 07:34:48 -0500 MIME-Version: 1.0 X-Accept-Language: en X-Priority: Normal From: Energy Drink <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Nationwide Energy Drink Survey Date: Fri, 2 Sep 2005 04:08:28 EST Message-ID: <q8tz5,[EMAIL PROTECTED]> Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8008000e]. X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 223, weight 0) X-Note: ======================================== X-Note: Spam Score: [6] X-Note: Scan Time: 07:35:08 on 02 Sep 2005 X-Note: Spool File: 37143703.EML X-Note: Server Name: sip.agnheqe3.com X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS & IP: sip.agnheqe3.com [206.131.238.29] X-Note: Recipient(s): <fwd>[EMAIL PROTECTED] X-Note: Country Chain: UNITED STATES->destination X-Note: Failed Weights: BADHEADERS [8], SPFUNKNOWN [1], Filter_Country [0] X-Note: ======================================== <html> <body><br> <a href="http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1&m=6225115&l=0";> <img src="http://agnheqe3.com/t?m=6225115&l=3"; border=0></a><br><br> <img src="http://agnheqe3.com/t?m=6225115&l=2"; border=0></a><br><br> <a href="http://agnheqe3.com/t?m=6225115&l=4";> <img src="http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6z&m=6225115&l=1"; border=0></a><br> <br><br><font color='#ffffff' face='arial,helvetica' size='1'><5;46UqH66PCSHeq6PD4qbeBnKu6z;6225115></font></body></html> --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
