Addendum: You do not need to restart the MessageSniffer service after you modify the .xml file, the change is automatically picked up. You can spot this in your log when there is a line that says "--RELOADING--". Andrew. ________________________________
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck, Andrew Sent: Thursday, December 09, 2010 12:26 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers Harry, the snippet I included was the literal text, you don't have to make any substitutions. To avoid email formatting and readability issues, I am now attaching that as a text file. I hope that helps. Andrew. ________________________________ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry Vanderzand Sent: Thursday, December 09, 2010 11:00 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers Have been following this and tried to use it. However now I am not sure I did it right. Do I Leave "X-originating-IP" in the code Or do I have to substitute and IP or something else? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: December-09-10 1:49 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers fyi - the 'X-Originating-IP" as well as "'X-AOL-IP" are the senders ip - they have no relation to yahoo or aol. What you can do with these ip's - which is what I do - is look up 'um up in blacklists.. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm ________________________________ From: "Colbeck, Andrew" <acolb...@bentallkennedy.com> Sent: Wednesday, December 08, 2010 5:52 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers Thanks, Pete and Scott. As always, Pete, that change worked as advertised. I've put in a slight tweak as well as Scott's AOL suggestion, I pre-pended a period to qualify the domains tighter (I also left in the examples, that's my own practice for self-documentation) <source> <!-- <header name='X-Use-This-Source:' received='mixedsource.com [' ordinal='0' /> --> <!-- <header name='X-Originating-IP:' received='hotmail.com ['ordinal='0' /> --> <header name='X-Originating-IP:' received='.hotmail.com ['ordinal='0' /> <header name='X-AOL-IP:' received='.aol.com [' ordinal='0' /> </source> I sent myself three messages from my own Hotmail account, and then checked my own firewall's IP address in my local GBU: CD \messagesniffer SNFClient.exe -test 1.2.3.4 GBUdb Record for 1.2.3.4 Type Flag: ugly Bad Count: 0 Good Count: 3 Probability: -1 Confidence: 0.113212 Range: normal Code: 0 Hopefully, others will choose to also pay in to the system, and regardless, I'll see less Hotmail and AOL spam from known zombie IP addresses! Andrew 8) -----Original Message----- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Monday, December 06, 2010 1:18 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers I made this change immediately. Like Andrew I've always wondered why the Hotmail header hasn't been targeted by someone. -----Original Message----- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Monday, December 06, 2010 2:31 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers On 12/6/2010 2:47 PM, Colbeck, Andrew wrote: > I have the same position as Scott. > > I find that the MessageSniffer product from ARM Research is the most reliable test <snip/> > Hotmail in particular would be less effective for the bad guys if I had an antispam tool that would determine from the headers that the sender was from Hotmail (or others) and then check the > > X-Originating-IP: [111.222.333.444] <snip/> > I've suggested it before but vendors are, quite reasonably, leery of building into their product a feature that is specific to a few providers while being prone to false positives. Actually, if I may, Message Sniffer has precisely that feature built into GBUdb training. Specifically, you can tell Message Sniffer to identify the source IP for the message based on the presence of a specific header. This feature was designed specifically for hotmail and other systems that provide a source IP for one reason or another -- (perhaps complex internal routing). For configuration information see: http://www.armresearch.com/support/articles/software/snfServer/config/no de/g budb/training/source.jsp http://www.armresearch.com/support/articles/software/snfServer/config/no de/g budb/training/source-header.jsp If you configure this training mechanism for GBUdb in your Message Sniffer engine then GBUdb will become much more accurate for messages coming through that source. Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. We are pleased to announce that Bentall LP and Kennedy Associates Real Estate Counsel, LP joined forces on December 1, 2010. To learn more, visit: www.bentallkennedy.com Nous avons le plaisir de vous annoncer que Bentall LP et Kennedy Associates Real Estate Counsel LP se sont associees le 1er decembre 2010. Pour en savoir plus, rendez-vous a www.bentallkennedy.com This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees doivent respecter la confidentialite de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entite non autorisee est strictement interdite. Si vous avez recu ce message par erreur, veuillez nous en aviser immediatement et le detruire. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. We are pleased to announce that Bentall LP and Kennedy Associates Real Estate Counsel, LP joined forces on December 1, 2010. To learn more, visit: www.bentallkennedy.com <http://www.bentallkennedy.com/> Nous avons le plaisir de vous annoncer que Bentall LP et Kennedy Associates Real Estate Counsel LP se sont associées le 1er décembre 2010. Pour en savoir plus, rendez-vous à www.bentallkennedy.com <http://www.bentallkennedy.com/> This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est éventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'accès à cette information par quiconque autre que le destinataire désigné en est donc interdit. Les personnes ou les entités non autorisées doivent respecter la confidentialité de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entité non autorisée est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et le détruire. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. We are pleased to announce that Bentall LP and Kennedy Associates Real Estate Counsel, LP joined forces on December 1, 2010. To learn more, visit: www.bentallkennedy.com Nous avons le plaisir de vous annoncer que Bentall LP et Kennedy Associates Real Estate Counsel LP se sont associées le 1er décembre 2010. Pour en savoir plus, rendez-vous à www.bentallkennedy.com This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est éventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'accès à cette information par quiconque autre que le destinataire désigné en est donc interdit. Les personnes ou les entités non autorisées doivent respecter la confidentialité de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entité non autorisée est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et le détruire. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
