RE: [Declude.JunkMail] Suge of spam in recient week.

[Michael Thomas - Mathbox]

Will,   Use Notepad to check the tail end of the file. The Declude headers may be at the end of the file. If the Declude headers are at the end of the file, note whether or not:   1. The Received: lines appear normal 2. There may or may not be some X-Header lines immediately after the Received: lines that appear normal 3. The From, To, Subject and body of the message all appear to be on one or two lines in Notepad. 4. Followed by Declude headers   If the above is true, then:   1. The message is in violation of RFC in that it is missing either carriage returns or line feeds. The RFC calls for lines to be terminated by a carriage return/line feed pair.   2. This is a known issue with Declude handling these types of messages. Based on observation, it appears that Declude processes messages in line-mode rather than byte-mode. Rather interesting that Declude trusts spammers and virus writers to construct messages according to RFC.   -----------------------------   Let me know what you find.   While writing this message, I happened to think about attachments. It would appear to me, that there is an implied possibility for attachments and therefore viruses to pass through undetected. All that should be required is that the lines that make up the entire email, including the attachment section, be terminated with line feeds instead of carriage return/line feed pairs. Under such condition, Declude would see only one line and not find the relevant sections. I will test this possibility.   Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Sent: Thursday, October 19, 2006 4:52 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Suge of spam in recient week. I have been getting a lot of spam reciently.  The subjects are typical and the From always displays as a common first name.   For each of these messages, I see no declude content.  The ip and the address are not excluded or whitelisted and if it were an xheader should say it was.  For some reason there is no declude processing here.  Any ideas?  The following is the header for one of these messages:   Received: from cyrix [82.201.160.214] by mail.ncats.net with ESMTP   (SMTPD-9.10) id A0881C80; Wed, 18 Oct 2006 21:10:32 -0400 Message-ID: <[EMAIL PROTECTED]> From: "Robert" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Cheapest way to solve health problems. Date: Thu, 19 Oct 2006 03:10:34 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative;             boundary="------------ms030809000704050003000706" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180         I would normally see a header like this:   Received: from 203.111.235.51 [203.111.235.51] by mail.ncats.net   (SMTPD-9.10) id AD4E1464; Wed, 18 Oct 2006 20:56:46 -0400 Received: from mx3.mail.yahoo.com             by 203.111.235.51 (8.12.11/8.12.11) with ESMTP id Yz77Trqj3H8fGj             for <[EMAIL PROTECTED]>; Wed, 18 Oct 2006 21:53:53 -0400 Received: from [251.130.5.67]             by mx3.mail.yahoo.com with ESMTP (Exim 4.05) id NyG7OgPl6HWI             for <[EMAIL PROTECTED]>; Wed, 18 Oct 2006 21:53:53 -0400 Date: Wed, 18 Oct 2006 21:53:53 -0400 From: Bridgett Kim <[EMAIL PROTECTED]> Reply-To: Bridgett Kim <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: SEXUALLY EXPLICIT : Hidden upskirt camera shots MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-RBL-Warning: CBL: "Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=203.111.235.51" X-RBL-Warning: SORBS-WEB: "Exploitable Server See: http://www.sorbs.net/lookup.shtml?203.111.235.51" X-RBL-Warning: BADWHOIS: "Inaccurate or missing WHOIS data" X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]" X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]" X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: DYNHELO: Dynamic HELO found. X-RBL-Warning: HELOBOGUS: Domain 203.111.235.51 has no MX or A records [0301]. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 203.111.235.51 with no reverse DNS entry. X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [2000010f]. X-RBL-Warning: WEIGHT10: Weight of 52 reaches or exceeds the limit of 10. X-RBL-Warning: WEIGHT14: Weight of 52 reaches or exceeds the limit of 14. X-RBL-Warning: WEIGHT20: Weight of 52 reaches or exceeds the limit of 20. X-Declude-Sender: [EMAIL PROTECTED] [203.111.235.51] X-Declude-Spoolname: Dcd4d03210000c10b.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.14 for spam. "http://www.declude.com/x-note.htm" X-Declude-Scan: Incoming Score [52] at 20:56:55 on 18 Oct 2006 X-Declude-Fail: CBL [6], SORBS-WEB [5], BADWHOIS [3], NOABUSE [2], NOPOSTMASTER [1], CMDSPACE [8], DYNHELO [5], HELOBOGUS [5], REVDNS [10], ROUTING [2], COUNTRY-NONUS-CANADA [5], WEIGHT10 [10], WEIGHT14 [14], WEIGHT20 [20], WEIGHT30 [30] X-Country-Chain: [IANA Reserved]->PHILIPPINES->destination X-RCPT-TO: <[EMAIL PROTECTED]> Status:  X-UIDL: 451635306 X-IMail-ThreadID: cd4d03210000c10b   --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.