The @debora will change...
I get over a 1000 spam a day from this
spammer.
I don't think you'll be able to target his zombies
effectively with any IP4r list.
----- Original Message -----
Sent: Thursday, November 09, 2006 4:51
PM
Subject: Re: [Declude.JunkMail] Spam not
being caught
So far - and I have been hammered as well is they all
contain 2 "$$" and end with @debora I have a regex that hits these -
[EMAIL PROTECTED]
-Nick
Karl Hentschel wrote:
Here are a headers from a few of the messages, with
our email address removed, that we have been receiving. We have
been receiving tons of these from different domains, IP's.. I have
been using IMail filters to catch some of them because Declude hasn't been
doing a very good job.
This one didn't fail any Declude
tests.
from <[EMAIL PROTECTED]>
Wed Nov 08 12:53:17 2006 Received: from host33-74.birch.net
[216.212.33.74] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id
A3A7FB00E8; Wed, 08 Nov 2006 12:52:55 -0800 Return-Path: <[EMAIL PROTECTED]> Received:
from 208.65.145.2 (HELO
buckeyenissan.com.inbound15.mxlogicmx.net) by
pcfcu.org with esmtp (D70MB482Y 8LJH6) id
IFLT4O-RHJVV5-3H for xxx@ourdomain.com; Wed, 8 Nov 2006 20:52:49
+0360 From: "Mamie Cabrera" <[EMAIL PROTECTED]> To:
<xxx@ourdomain.com> Subject:
X-IMail-SPAM-Phrase Mamie wrote: Date: Wed, 8 Nov 2006 20:52:49
+0360 Message-ID: <[EMAIL PROTECTED]> MIME-Version:
1.0 Content-Type:
text/plain; charset="iso-8859-1" Content-Transfer-Encoding:
7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer:
Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By
Microsoft MimeOLE V6.00.2800.1506 Thread-Index:
Aca6Q3OW2X20X4MXS950OD9TUPU55Z== X-Declude-Sender: [EMAIL PROTECTED]
[216.212.33.74] X-Declude-Spoolname:
D43a700fb00e8c9be.smd X-Declude-Note: Scanned by Declude 3.1.1 for spam.
"http://www.declude.com/x-note.htm" X-Declude-Scan:
Incoming Score [0] at 12:53:16 on 08 Nov 2006 X-Declude-Fail:
None X-Country-Chain: UNITED
STATES->destination X-IMAIL-SPAM-PHRASE: (43a700fb00e8c9be, whats the
first rule of investing) X-RCPT-TO: xxx@ourdomain.com Status:
U X-IMail-Rule: H~x-imail-spam:xxx@ourdomain.comData-
X-IMAIL-SPAM-PHRASE MAMIE WRO X-UIDL: 463003429
This failed a few.
from <[EMAIL PROTECTED]>
Thu Nov 09 12:03:16 2006 Received: from
APuteaux-152-1-90-68.w86-205.abo.wanadoo.fr [86.205.87.68] by mail.pcfcu.org
with ESMTP (SMTPD32-8.15) id A96664D00D0; Thu, 09 Nov 2006
12:02:46 -0800 Return-Path: <[EMAIL PROTECTED]> Received:
from 207.236.26.82 (HELO
mail.cableteksystems.com) by pcfcu.org with
esmtp (DEIL1D7SO3 S7E59) id
V714O9-TFHDJZ-CD for xxx@ourdomain.com; Thu, 9 Nov 2006 20:02:42
-0060 From: "Bud Mora" <[EMAIL PROTECTED]> To:
<xxx@ourdomain.com> Subject:
X-IMail-SPAM-Phrase It's Bud :) Date: Thu, 9 Nov 2006 20:02:42
-0060 Message-ID: <[EMAIL PROTECTED]> MIME-Version:
1.0 Content-Type:
text/plain; charset="iso-8859-1" Content-Transfer-Encoding:
7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer:
Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By
Microsoft MimeOLE V5.50.4133.2400 Thread-Index:
Aca6QIH9S2BNQ98OSCRZRQUO3YHU09== X-RBL-Warning: FIVETEN-SRC:
68.87.205.86.blackholes.five-ten-sg.com. X-RBL-Warning: DYNHELO: Dynamic
HELO found. X-Declude-Sender: [EMAIL PROTECTED]
[86.205.87.68] X-Declude-Spoolname:
D8965064d00d0eb56.smd X-Declude-Note: Scanned by Declude 3.1.1 for spam.
"http://www.declude.com/x-note.htm" X-Declude-Scan:
Incoming Score [9] at 12:03:15 on 09 Nov 2006 X-Declude-Fail: FIVETEN-SRC
[4], DYNHELO [5] X-Country-Chain:
CANADA->FRANCE->destination X-IMAIL-SPAM-PHRASE: (8965064d00d0eb56,
our hottest pick) X-RCPT-TO: <xxx@ourdomain.com> Status:
U X-IMail-Rule: H~x-imail-spam:xxx@ourdomain.com Data-
X-IMAIL-SPAM-PHRASE IT'S BUD X-UIDL: 463095290
Hi Karl,
Post a sample with full headers
so we can see what the scofflaw is sending you
-Nick
Karl
Hentschel wrote:
Thanks for the tip, but unfortunately I am not using the Pro version of
Declude so I cannot create my own filters. Are others being slammed with
stock spam recently? Declude is blocking several hundred of them a day, but
many are still slipping through without failing any or very few tests. Is it
possible to block with the country chain? I noticed that they are coming
from out of the country. How is everyone dealing with these?
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott
Fisher
Sent: Monday, November 06, 2006 11:27 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Spam not being caught
This filter will work for targeting CMDSPACE with a gif attachment.
You might want to
SKIPIFWEIGHT 315
STOPATFIRSTHIT
BODY END NOTCONTAINS Content-Type: image/gif TESTSFAILED END NOTCONTAINS
CMDSPACE
BODY 100 CONTAINS img src=""
BODY 100 CONTAINS src="" class=moz-txt-link-rfc2396E href="">"cid:
BODY 100 CONTAINS src=""cid:BODY100CONTAINSsrc=3D">"cid:
BODY 100 CONTAINS src="">= cid:
----- Original Message -----
From: "Karl Hentschel" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Monday, November 06, 2006 12:58 PM
Subject: [Declude.JunkMail] Spam not being caught
We have been getting quite a bit of SPAM, usually about stocks that is not
being caught by Declude. I have the newest version of Declude, updated
filter files from Imail, invURIBL, trial version of Sniffer. These emails
are typically only failing cmdspace and helobogus, not enough to get
blocked. Has anyone had any success blocking these recent floods of
emails?
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--- This E-mail came from the Declude.JunkMail
mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This
E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- This E-mail came from the Declude.JunkMail mailing
list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED],
and type "unsubscribe Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
|