I'll comment. ;-) invURIBL and Sniffer are very effective. With these two alone we have nearly removed ALL body/subject/header/etc... Filtering from Declude. The email that you questioned about and as Darrell pointed out, did fail invURIBL on our system as well.
Erik -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, September 02, 2005 7:55 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Suggestions on catching a spam message? Dave, One of the biggest things you can do since to help out since you are already running Sniffer is look at adding URI filtering. For example that domain is currently listed in black.uribl.com. If you want to give URI filtering a try check out our site - http://www.invariantsystems.com (invURIBL). URI filtering is very effective. Hopefully, other will comment on how well URI filtering is working for them as well. Darrell Dave Beckstrom writes: > > Hi Everyone, > > I just purchased declude two days ago. I'm running Declude with > message sniffer on a smartermail server. So far, it is working very > well. > > The approach that I have been trying to take is to, wherever possible, > avoid creating a custom filter entry to trap a specific email. Below > is an example of a spam email which slipped through this morning. I > sanitized the mail headers so any reference to myserver or mydomain or > myaddress is where I replaced our details in the headers. > > As you can see from the headers, there was very little wrong with this > email that would enable us to score it high enough for it to be considered spam. > > I tag the subject at a score of 14. > > At the bottom of this message is the actual body of the html email. > Obviously I could add a filter entry to look for "agnheqe3.com" and to > delete or hold the message. The problem with that approach, in my > opinion, is it never ends. If they have 1000 different domains that > means a 1000 filter entries. I hate filtering to block a specific > email and I would rather block based upon a pattern common to all > spam. > > I am wondering if you have had any success on trapping emails like the > one below? What would you add or change to have caught this message? > The only thing I saw, that is common to spam, which I think I could > filter on is the "/track?" in the URL. I've seen a lot of spam that > triggers various ASP or PHP or other programs in the IMG SRC tag which > enables a spammer to verify that the email was opened and read. > > What do you think? How can I tighten up my filtering to catch an > email such as the one below? > > Do you guys forward spam to spamcop or other places to help with the > RBLs? > > Thanks! > > Dave > > > > Return-Path: <[EMAIL PROTECTED]> Fri > Sep 02 07:34:48 2005 > Received: from sip.agnheqe3.com [206.131.238.29] by > myserver.mydomain.com with SMTP; > Fri, 2 Sep 2005 07:34:48 -0500 > MIME-Version: 1.0 > X-Accept-Language: en > X-Priority: Normal > From: Energy Drink <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Nationwide Energy Drink Survey > Date: Fri, 2 Sep 2005 04:08:28 EST > Message-ID: <q8tz5,[EMAIL PROTECTED]> > Content-Type: text/html; charset="ISO-8859-1" > Content-Transfer-Encoding: 7bit > X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail > client [8008000e]. > X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. > X-RBL-Warning: Filter_Country: Message failed Filter_Country test > (line 223, weight 0) > X-Note: ======================================== > X-Note: Spam Score: [6] > X-Note: Scan Time: 07:35:08 on 02 Sep 2005 > X-Note: Spool File: 37143703.EML > X-Note: Server Name: sip.agnheqe3.com > X-Note: SMTP Sender: [EMAIL PROTECTED] > X-Note: Reverse DNS & IP: sip.agnheqe3.com [206.131.238.29] > X-Note: Recipient(s): <fwd>[EMAIL PROTECTED] > X-Note: Country Chain: UNITED STATES->destination > X-Note: Failed Weights: BADHEADERS [8], SPFUNKNOWN [1], Filter_Country [0] > X-Note: ======================================== > > > > > <html> > <body><br> > <a > href="http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1&m=6225115 > &l=0"> > <img > src="http://agnheqe3.com/t?m=6225115&l=3"; border=0></a><br><br> > <img > src="http://agnheqe3.com/t?m=6225115&l=2"; border=0></a><br><br> > <a > href="http://agnheqe3.com/t?m=6225115&l=4";> > <img > src="http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6z&m=6225115&l=1"; > border=0></a><br> > <br><br><font color='#ffffff' face='arial,helvetica' > size='1'><5;46UqH66PCSHeq6PD4qbeBnKu6z;6225115></font></body></html> > > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. ------------------------------------------------------------------------ Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
