[Declude.JunkMail] Auto Sales Spam

[Dave Beckstrom]

Has anyone come up with a filter to deal with the rash of new car sales spam
that has recently gotten bad?  There doesn't seem to be much to filter on
from a content standpoiint.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] No one at Declude?

[Dave Beckstrom]

Was anyone able to download the all_list.dat file from the interim directory
that David posted?  Everything else downloaded for me except that file.

-Original Message-
From: David Barker [mailto:david.bar...@mailsbestfriend.com]
Sent: Thursday, April 18, 2013 8:37 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Filters yes all_list.dat working on that.

-Original Message-
From: John Dobbin [mailto:jo...@penpublishing.com]
Sent: Thursday, April 18, 2013 9:14 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

David - with your support extended to the community, will you be able to
offer maintenance of the all_list.dat as well as the filters?


-Original Message-
From: David Barker [mailto:david.bar...@mailsbestfriend.com]
Sent: Thursday, April 18, 2013 1:02 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Not that I can think of, the real advantage is it shuts off all  internal
validations, AVG which has already stopped, SNF and CT which will stop
anytime soon.

-Original Message-
From: Andy Schmidt [mailto:andy_schm...@hm-software.com]
Sent: Thursday, April 18, 2013 1:43 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Thanks David,

So, OTHER than Sniffer, any OTHER advantages of using the HOSTS trick vs.
the Bypass key?

-Original Message-
From: David Barker [mailto:david.bar...@mailsbestfriend.com]
Sent: Thursday, April 18, 2013 1:09 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

If internal SNF is still ON then it can conflict with external Message
Sniffer by grabbing the port which SNF uses. By using our fix will ensure
internal SNF is turned OFF. If using the bypass key has everything OFF then
that is fine too.

-Original Message-
From: Andy Schmidt [mailto:andy_schm...@hm-software.com]
Sent: Thursday, April 18, 2013 12:46 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

So - is there any advantage of using the hosts file trick (to invalidate the
license server IP address) http://mailsbestfriend.com/declude-fix
vs. using the special "bypass" license code?

Does one enable more functions that the other?

-Original Message-
From: David Barker [mailto:david.bar...@mailsbestfriend.com]
Sent: Thursday, April 18, 2013 12:31 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Yes Internal Sniffer is no longer a valid option. Need to switch to
external.

-Original Message-
From: Andy Schmidt [mailto:andy_schm...@hm-software.com]
Sent: Thursday, April 18, 2013 12:06 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Uh - but with that code, the internal SNF is turned off?

So one has to configure Sniffer has an external test with a separate Sniffer
license code?

-Original Message-
From: Stephan Chayer [mailto:scha...@intrasoft.net]
Sent: Wednesday, April 17, 2013 5:37 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0

-Message d'origine-
De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43
À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at
Declude?

Apparently I was too quick on the draw as this line has since been added to
the diag file:

04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B]
IS INVALID KEY

Did someone say something about new keys?

-Original Message-
From: SM Admin
Sent: Tuesday, April 16, 2013 10:25 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

I noticed today that Declude wasn't processing.  I checked the diag file and
it has the usual entries at the top plus an entry at the bottom saying that
the Sniffer license is invalid.  How is that?

So then I restarted the Declud service and now the diag file only shows
this:

Declude 4.12.02 Diagnostics
Compilation Platform: SmarterMail
Copyright (c) 2000-2013 Declude, Inc.

Host Name   mail1.bcwebhost.net
Declude Key 

So I have no idea what's going on. Anyone?

-Original Message-
From: Brian Baker
Sent: Tuesday, April 16, 2013 7:09 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

Looks like tonight we better figure out a new approach. My declude diag file
is now reading declude lic as invalid. Anyone else?


- Original Message -
From: "Todd Richards" 
To: 
Sent: Monday, April 15, 2013 9:34 AM
Subject: RE: [Declude.JunkMail] No one at Declude?



What system is that?  Our users are getting hammered with spam.  Reminds me
of the days, many years ago, before I happened upon Declude...

Todd



-Original Message-
On Sunday, April 14, 2

RE: [Declude.JunkMail] No one at Declude?

[Dave Beckstrom]

Hi Darin,

I don't have stats but in manual checks it seems to be about 50% of my spam.

stepvalve.net
Creation date: 16 Apr 2013 16:13:00
Expiration date: 16 Apr 2014 08:13:00


kunstkennis.com
Updated Date: 17-apr-2013
Creation Date: 16-apr-2013

shoputc.com
Creation date: 16 Apr 2013 19:24:13
Expiration date: 16 Apr 2014 19:24:00


What ticks me off is a lot of it is registered with ENOM which is where I
buy my domains.



From: Darin Cox [mailto:dc...@4cweb.com]
Sent: Wednesday, April 17, 2013 1:34 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?


HI Dave,

Maybe we are looking at different cross-sections of the spam problem, but on
our systems we see a lot from spammy domains that are not brand new.

Darin.



From: Dave Beckstrom <mailto:db...@atving.com>
Sent: Wednesday, April 17, 2013 2:22 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

Darin,

The new domain test would work on a majority of spam.

Here is one from the "saffron extract" spams that are being sent.  Just got
this one this morning.

Received: from mail3.llorynlouise.com [173.237.33.77] by

[Querying
whois.enom.com]
[whois.enom.com]
Updated Date: 17-apr-2013
Creation Date: 16-apr-2013



From: Darin Cox [mailto:dc...@4cweb.com]
Sent: Wednesday, April 17, 2013 1:14 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?


FYI... I spot-checked some of the domains involved in what we were seeing.
Many were two or three years old, so the new domain test would not work on
them.

On the report, there are log parsers that will do that for you, including
Grep and Sawmill.  We don't use those, but import our logs into SQL Server
for processing and reporting.

Darin.



From: Dave Beckstrom <mailto:db...@atving.com>
Sent: Wednesday, April 17, 2013 1:37 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

I put in a request to Darrell at Invariant to see if he could update
URIExtract to produce a report of IPs on top of the domain report that it
currently produces.

What I've been doing is if I receive one spam from say 69.22.136.43 and
another spam from 69.22.136.48 then I firewall 69.22.136.0/24

I'd like to see a report of IPs extracted from emails and a count of how
many emails were found from a given IP -- reports taken from the INVURIBL
log files, that is.

I've not heard back from Darrell.   I don't have any other tool at my
disposal for extracting those IPs.

What we really need, is something that would do a whois query and for any
domain registered within say the last 24 hours then declude could hold or
delete the email.  The majority of spam seems to be from spammers who
registered a domain using  fake credit card and by the time the registrar
figures out they didn't get paid then the spammer is on to the next domain.




From: Darin Cox [mailto:dc...@4cweb.com]
Sent: Wednesday, April 17, 2013 12:23 PM
To: Declude.JunkMail@declude.com
Subject: [SPAM]- Score (19)Re: [Declude.JunkMail] No one at Declude?


Not many IPs in that range in use yet according to SenderBase, but those
that are are very bad.

We've been seeing a lot of spam traffic where SenderBase didn't have any
measurements on the IP yet that we were seeing, but had a number of others
in the same subnet... all bad.

Darin.



From: Katie La Salle-Lowery <mailto:ka...@centric.net>
Sent: Wednesday, April 17, 2013 1:06 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?


Here are the headers of an example I received.

Received: from pop.mountainmusicmeltdown.com [207.223.191.101] by
mail.centric.net with ESMTP

  (SMTPD-11.01) id 1950001a04b74c7d; Wed, 17 Apr 2013 08:57:09 -0600

From: "credit line increase" 

To: 

Subject: Magnificent News! TransUnion Gave You a Credit Increase

Date: Wed, 17 Apr 2013 10:50:56 -0400

Message-ID:
<34770215301099823782438a696834a88ab99428fd8da700613@pop.mountainmusicmeltdo
wn.com>

Mime-Version: 1.0

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 8bit

Content-Disposition: inline

X-MessageSniffer-Identifier: C:\IMail\spool\proc\work\D1950001a04b74c7d.smd

X-GBUdb-Analysis: 0, 207.223.191.101, Ugly c=0.279065 p=1 Source Truncate

X-MessageSniffer-Scan-Result: 20

X-MessageSniffer-Rules:

20-0-0--1-f

X-RBL-Warning: SUBCHARS-55: Subject with at least 55 characters found.

X-Declude-Sender: barbara_watk...@mountainmusicmeltdown.com
[207.223.191.101]

X-Declude-Spoolname: D1950001a04b74c7d.smd

X-Declude-RefID:

X-Declude-Note: Scanned by Centric Internet Services using Declude 4.12.01
for spam. "http://www.declude.com/x-note.htm";

X-Declude-Scan: Incoming Score [8] at 08:57:23 on 17 Apr 2013

X-Declude-Fail: SORBS-DUL [5], SORBS [4]

[Declude.JunkMail] Sample global.cfg ?

[Dave Beckstrom]

Is there a current sample global.cfg available?  I haven't looked through
mine in awhile and I may have some outdated RBLs, etc.  Would like to see
the current sample just to get an idea of what may have changed.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Thank you for your email. I will be out of the office from 4/15/2013 until 4/19/2013. Dur

[Dave Beckstrom]

Everyone better add a filter to delete messages with Dan's name until he
gets back. Can you say viscious circle?

-Original Message-
From: Daniel Slentz [mailto:dsle...@oasisol.com]
Sent: Saturday, April 13, 2013 3:19 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Thank you for your email. I will be out of the
office from 4/15/2013 until 4/19/2013. Dur

Thank you for your email. I will be out of the office from 4/15/2013 until
4/19/2013. During that time I will have limited access to email but will
respond upon my return. If you require an immediate response, please contact
ad...@oasisol.com.  Have a great day

Dan Slentz
Network Engineer
Oasis Online
775-423-6277




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to imail...@declude.com, and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] No one at Declude?

[Dave Beckstrom]

Someone should start up a new discussion list that everyone can join before
this one goes away.  It would be good to have a place to continue
collboration.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Whois Tests?

[Dave Beckstrom]

A significant number of spams are referencing links to domains that were
created within say the last 7 - 10 days.  I believe its because they are
created with bad credit cards.  The spam is sent and by the time the
registrar finds out the credit card was bad the spammer is done using the
domain and they don't care if it becomes disabled.

I know there are RBL lists like spameatingmonkey.com that have recently
created domains listed.  But I'm finding most new domains not listed.

What we really need is a test that would do a whois, using something like
betterwhois.com that aggragates whois results, and that would identify newly
registered domains.  I'd block 100% on any domain created in the last 10
days if we had a test like that.

Anyone ever heard of such a thing?  I can't be the first person wanting
something like this.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Joe Jobs

[Dave Beckstrom]

Hi All,

This isn't specifically a Declude question but I thought I'd ask anyway as
its still of interest to the group, I think.

I have one domain that is being referenced in a Joe Job.  Essentially, a
spammer sends out thousands of emails using various compromised computers.
In the "FROM" field, they put randomaddr...@mydomain.com.

My server gets all the backscatter email from the victims servers.

This has been going on for better than 6 months.  My server can handle the
volume.  The real problem is my customer gets nasty emails from people who
think they spammed them and they don't realize it had nothing to do with our
server or my customer.

I've not been able to figure out a way to stop the spammers from using my
domain in their FROM addresses.  Essentially, I was trying to figure out if
through SPF records or other means I could do something that would make
referencing my domain ineffective for them.   That didn't seem to help.

Also, since they don't send through my server, there is little I can do.

Have any of you had to deal with this situation?  Any clever ideas?

Thanks,

Dave





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Whitelist emails with attachments?

[Dave Beckstrom]

Is there a way in declude to either whitelist or set a filter giving credit
(negative weight), when an email sent to a specific user/domain has an
attachment attached to it?






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Dealing with Joe Jobs?

[Dave Beckstrom]

Hi Darin,

Thanks for the reply.  The mail server seems to handle the bounces okay as
we don't have a catchall address set up.  The smtp server connects, gets a
"no such user here" response and disconnects.  No mail is actually
delivered.  At least that is my interpretation (from the log files) as to
what's happening.

I suspect this has been going on for months with the one domain.



-Original Message-
From: Darin Cox [mailto:dc...@4cweb.com]
Sent: Wednesday, December 07, 2011 12:54 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Dealing with Joe Jobs?

Hi Dave,

We see this occasionally, and SPF does help a little, but SPF is often not
enforced, so it's more valuable for self-addressed spam than anything
else... and many senders violate their own SPF policy.

Deleting your MX doesn't help since the bounces are coming from all over,
not from the spammer.

We have occasionally put in additional filtering rules for the domain in
question to look for keywords such as "Undeliverable" and hold hits for
review, but most of the time our regular filtering does a good enough job
that the customer doesn't get most of the bounces.  Usually the joe-job
lasts for 1-2 weeks and then it's over.

Hope this helps,

Darin.


- Original Message -
From: "Dave Beckstrom" 
To: 
Sent: Tuesday, December 06, 2011 7:12 PM
Subject: [Declude.JunkMail] Dealing with Joe Jobs?


Hi All,

This isn't a Declude topic but is relevant to dealing with a sort of spam
issue.  I hope nobody minds discussing this.  I would appreciate hearing any
advice you might have to offer.

I have a customer who's domain is being used for Joe Jobs.  Someone is
randomizing email addresses for this domain and presumably sending out
millions of emails.  My mail server is dealing with the backscatter.  I'm
getting probably close to 50 - 100 server connections a minute.

My smtp log shows the following type of entries (sanitized for posting
here):

17:23:50 [216.127.80.40][30884] connected at 12/6/2011 5:23:50 PM
17:23:51 [216.127.80.40][30884] cmd: EHLO shack.traxel.com
17:23:51 [216.127.80.40][30884] rsp: 250-PERSEUS Hello [216.127.80.40]
250-SIZE 62914560 250-AUTH LOGIN CRAM-MD5 250 OK
17:23:51 [216.127.80.40][30884] cmd: MAIL FROM:<>
17:23:51 [216.127.80.40][30884] rsp: 250 OK <> Sender ok
17:23:51 [216.127.80.40][30884] cmd: RCPT
TO:
17:23:51 [216.127.80.40][30884] rsp: 550 
No such user here
17:23:51 [216.127.80.40][30884] cmd: RSET
17:23:51 [216.127.80.40][30884] rsp: 250 OK


I had my SPF records set incorrectly and it was instructing other mail
servers to accept email even if not from my mail server.  I changed the SPF
record a few days ago to instruct them to REJECT.  I don't know if that
change will eventually cause the spammer to move on to another domain or
not.

I actually deleted the customer's MX and A record for 2 days (over the
weekend) to see if that might cause the spammer to find another domain.
They aren't sending through my mail server, but I thought perhaps if their
spam target recipient's server checked for a valid mx and found none that
they would reject the spam.  The theory being if the bulk of the spammer's
email was rejected they might move on to another domain.  Unfortunately, as
soon as I added the MX and A record back then the backscatter started again.

How do you guys deal with these?  Just let it run its course?

Thanks,

Dave





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Dealing with Joe Jobs?

[Dave Beckstrom]

Hi All,

This isn't a Declude topic but is relevant to dealing with a sort of spam
issue.  I hope nobody minds discussing this.  I would appreciate hearing any
advice you might have to offer.

I have a customer who's domain is being used for Joe Jobs.  Someone is
randomizing email addresses for this domain and presumably sending out
millions of emails.  My mail server is dealing with the backscatter.  I'm
getting probably close to 50 - 100 server connections a minute.

My smtp log shows the following type of entries (sanitized for posting
here):

17:23:50 [216.127.80.40][30884] connected at 12/6/2011 5:23:50 PM
17:23:51 [216.127.80.40][30884] cmd: EHLO shack.traxel.com
17:23:51 [216.127.80.40][30884] rsp: 250-PERSEUS Hello [216.127.80.40]
250-SIZE 62914560 250-AUTH LOGIN CRAM-MD5 250 OK
17:23:51 [216.127.80.40][30884] cmd: MAIL FROM:<>
17:23:51 [216.127.80.40][30884] rsp: 250 OK <> Sender ok
17:23:51 [216.127.80.40][30884] cmd: RCPT
TO:
17:23:51 [216.127.80.40][30884] rsp: 550 
No such user here
17:23:51 [216.127.80.40][30884] cmd: RSET
17:23:51 [216.127.80.40][30884] rsp: 250 OK


I had my SPF records set incorrectly and it was instructing other mail
servers to accept email even if not from my mail server.  I changed the SPF
record a few days ago to instruct them to REJECT.  I don't know if that
change will eventually cause the spammer to move on to another domain or
not.

I actually deleted the customer's MX and A record for 2 days (over the
weekend) to see if that might cause the spammer to find another domain.
They aren't sending through my mail server, but I thought perhaps if their
spam target recipient's server checked for a valid mx and found none that
they would reject the spam.  The theory being if the bulk of the spammer's
email was rejected they might move on to another domain.  Unfortunately, as
soon as I added the MX and A record back then the backscatter started again.

How do you guys deal with these?  Just let it run its course?

Thanks,

Dave





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] RE: email being delivered with blank body. What happened to body?

[Dave Beckstrom]

I get the same behavior with smartermail.  I also run into (frequently)
situations where it strips off attachments and people complain they don't
receive their files.  I have also seen where spam will skate right on past
filters that should have triggered.

I suspect there is some very specific series of events that causes the above
weird things to happen.

  _

From: Richard Lyon [mailto:rl...@piolaxusa.com]
Sent: Monday, April 04, 2011 7:53 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] RE: email being delivered with blank body.
What happened to body?


I've seen it with lotus notes delivering to an Outlook client. The emails
show fine in imails web mail. I've never found a fix. Its related to Lotus
Notes replies - not the original email.

-Original Message-
From: "Rick Davidson" 
Sent 4/4/2011 8:33:10 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] RE: email being delivered with blank body. What
happened to body?



Look for these messages in your log files



WARNING: EOF in multipart processing



I had that problem when I upgraded to Interceptor 3.4.10.48 back in Feb, I
had to roll back to the previous version I was running which is 3.4.42



I have yet to hear back on that one, if anyone has a fix I'd like to hear it





--

Rick



From: Harry Vanderzand [mailto:ha...@intown.net]
Sent: Monday, April 04, 2011 5:54 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] email being delivered with blank body. What
happened to body?



This is occurring to one of my domains.  No others that I can figure.  I see
no pattern as to why the mail gets delivered but the body is missing.  Any
help is sure appreciated.



I run imail with an Alligate front end.



And of course Declude.



Thank you in advance for your assistance.





Thank you



Harry Vanderzand

Intown internet & Erbsville Internet

740 Erbsville Road

Waterloo, ON, N2J3Z4

--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to imail...@declude.com, and type "unsubscribe
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.




You have received this e-mail due to a past or current transaction or as a
result of our efforts to keep you in touch with current developments
affecting your industry. If you wish to unsubscribe from any future general
information mailings, please click here
 .

  _

CONFIDENTIALITY NOTICE

This e-mail message and any attachments contain confidential and/or
privileged information for the sole use of the intended recipient. If you
are not the intended recipient, you may not read, disseminate, distribute or
copy this e-mail message or any attachments. Please notify the sender
immediately by reply e-mail if you received this e-mail message by mistake
and delete this e-mail message and any attachments from your system. E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or
contain viruses. The sender, therefore, does not accept liability for any
errors or omissions in the contents of this e-mail message or any
attachments, which arise as a result of e-mail transmission. If verification
is required, please request a hard-copy version.

-. .- -

--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to imail...@declude.com, and type "unsubscribe
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.

--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to imail...@declude.com, and type "unsubscribe
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] ISIPP SuretyMail Accredited email - spammer?

[Dave Beckstrom]

Just received a spam with these headers:

 X-IADB-IP: 65.98.250.238
X-IADB-IP-REVERSE: 238.250.98.65
X-IADB-URL:   http://www.isipp.com/iadb.php
Received: from AGENT-01.ED.SAC ([10.10.0.24])
 X-Mailer: EDM
List-Unsubscribe: <

http://go.edirect1.com/l/a/eri/zl/852h/4t/ed9h/exclude.htm>


 Went to   http://www.isipp.com/iadb.php and
they are claiming they are like Habeas or Bonded Sender.  Anyone know if
these guys are scammers?  I'm considering holding anything with their
headers.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Idea for new Declude add-on

[Dave Beckstrom]

Hi John,

I apologize.  At the time I posted that, I didn't realize that autowhite is
no longer being developed.  It is what it is...which is a 3rd party utility
that sounds like it works well with imail.

Until a day or so ago...I didn't recall autowhite or that we had ever
purchased it.  Looked at the docs and saw it was supposed to work with
smartermail...  So I decided to give it a try. It was only after starting
down that road, that I discovered the documentation was incomplete and the
way it has to be implemented in a smartermail environment isn't very
friendly or practical (in my opinion)  So I stand by what I said that I
would not recommend someone purchase autowhite -- but need to qualify that
by saying "unless you use imail".

Even so..the tone of my email was overly harsh.  I apologize for that, too.







  _

From: John T [mailto:johnl...@eservicesforyou.com]
Sent: Friday, February 18, 2011 1:04 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Idea for new Declude add-on


Dave, it is sad to see you take a discussion we were having via email and
turn it into an unwarranted attack on a product that has been in use as
designed since 2003 and has been working great in its intended and designed
use.

QUOTE: "This product is not ready to be on the market and certainly should
not be
something someone pays good money to purchase.  It has promise, but its not
ready yet."

Your purchase was in 2003. BEFORE a version of Declude was created to work
with Smartermail.



John T
eServices For You




-----Original Message-
From: "Dave Beckstrom" 
Sent 2/18/2011 9:46:15 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Idea for new Declude add-on


I installed autowhite.

This product is not ready to be on the market and certainly should not be

something someone pays good money to purchase.  It has promise, but its not

ready yet.

Its advertised as working with Smartermail.  To use it in a smartermail

environment, you have to go into the registry on the server and enter a

number of IMAIL registry keys.  None of these required keys are currently

documented in the installation docs.  John said he is planning on updating

the installation documentation.

The main problem, however, is that there needs to be a registry key manuall

y

created for each smartermail email domain.  These keys get created under an

IMAIL parent key.  So if you have a control panel, and resellers create new

email domains, the autowhite registry key for that new email domain won't

exist.  Autowhite won't process for that domain.  You would have to modify

your control panel to create the registry key or manually create the keys.

Autowhite also has a log option.  But it won't log without a syslog daemon

on the server.  Autowhite needs to have an option to log to a text file --

I

wouldn't install anything to support a utility being able to log.

-Original Message-

From: Kamran Razvan [mailto:kami.l...@clickandpledge.com]

Sent: Thursday, February 17, 2011 9:01 AM

To: Declude.JunkMail@declude.com

Subject: RE: [Declude.JunkMail] Idea for new Declude add-on

Thanks Dave,

Just to show you how it works:

[AUTOWHITE.1]   external>1  "M:\autowhite\autowhite.exe

/ /R5 /L1 %MAILFROM% %REALRECIPS%" -500

[AUTOWHITE.2]   external>2  "M:\autoWhite\autowhite.exe

/ /R5 /L1 %MAILFROM% %REALRECIPS%" -100   0

In here if someone is sent an email to a person then the program tracks how

many times that email has been emailed to.  Next time when the person email

s

us the program looks at the sender's counter and we add -50 for 1 hit and

-100 for 2 hits and more.  Effectively if I email someone twice they are

whitelisted.

Kami

-Original Message-

From: David Barker [mailto:dbar...@declude.com]

Sent: Thursday, February 17, 2011 9:48 AM

To: Declude.JunkMail@declude.com

Subject: RE: [Declude.JunkMail] Idea for new Declude add-on

The author is John Tolmachoff of

http://www.eservicesforyou.com/products/autowhite.html

-Original Message-

From: Kamran Razvan [mailto:kami.l...@clickandpledge.com]

Sent: Thursday, February 17, 2011 9:41 AM

To: Declude.JunkMail@declude.com

Subject: FW: [Declude.JunkMail] Idea for new Declude add-on

Dave,

This program is the exact behavior that autowhite had and one that we are

using now.  Unfortunately I don't remember who had written it.  Anyone

remembers?

The program works beautifully.  Every time I sent an email the person's

email address is added a negative weight.  We use it in a combo filter and

whitelist the person in all future emails.

I know the author decided not to work on it anymore but we have been using

it for years.

Regards,

Kami

-Original Message-

From: David Barker [mailto:dbar...@declude.com]

Sent: Thursday, February 17, 2011 8:49 AM

To: Declude.JunkMail@declud

RE: [Declude.JunkMail] Idea for new Declude add-on

[Dave Beckstrom]

Sanford,

I'm not complaining.  I'm saying that there is an opportunity for someone to
write the utility I suggested.

I'd write it except the languages I code wouldn't be a good choice for
something like this.


-Original Message-
From: Sanford Whiteman [mailto:sa...@cypressintegrated.com]
Sent: Friday, February 18, 2011 12:00 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Idea for new Declude add-on

> This product is not ready to be on the market and certainly should not
> be something someone pays good money to purchase.  It has promise, but
> its not ready yet.

Your  complaints  have to do principally with SmarterMail -- certainly when
the  product was published and supported I don't recall anything about
SmarterMail  being  advertised.  That's an after-the-fact hack, but I don't
knw what that has to do with "on the market."

> Autowhite also has a log option.  But it won't log without a syslog
> daemon on the server.

IMail had a syslog daemon built-in.  That's obviously why it was built to
use that functionality.

> Autowhite  needs  to  have  an  option  to  log  to a text file -- I
> wouldn't install anything to support a utility being able to log.

Do your firewalls log to text files on the device, then?

Sounds  like  a  lot  of  FUD  over  a dead product which actually did
exactly  what  it  was  supposed to do, and with more flexibility than most
command-line add-ons.  I for one *wish* that everything logged to syslog.  I
don't want a text file on the local box being written to on every e-mail.
SMTP is disk I/O bound already.

-- S.



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to imail...@declude.com, and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.






---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Idea for new Declude add-on

[Dave Beckstrom]

I installed autowhite.

This product is not ready to be on the market and certainly should not be
something someone pays good money to purchase.  It has promise, but its not
ready yet.

Its advertised as working with Smartermail.  To use it in a smartermail
environment, you have to go into the registry on the server and enter a
number of IMAIL registry keys.  None of these required keys are currently
documented in the installation docs.  John said he is planning on updating
the installation documentation.

The main problem, however, is that there needs to be a registry key manually
created for each smartermail email domain.  These keys get created under an
IMAIL parent key.  So if you have a control panel, and resellers create new
email domains, the autowhite registry key for that new email domain won't
exist.  Autowhite won't process for that domain.  You would have to modify
your control panel to create the registry key or manually create the keys.

Autowhite also has a log option.  But it won't log without a syslog daemon
on the server.  Autowhite needs to have an option to log to a text file -- I
wouldn't install anything to support a utility being able to log.







-Original Message-
From: Kamran Razvan [mailto:kami.l...@clickandpledge.com]
Sent: Thursday, February 17, 2011 9:01 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Idea for new Declude add-on

Thanks Dave,

Just to show you how it works:

[AUTOWHITE.1]   external>1  "M:\autowhite\autowhite.exe
/ /R5 /L1 %MAILFROM% %REALRECIPS%" -500
[AUTOWHITE.2]   external>2  "M:\autoWhite\autowhite.exe
/ /R5 /L1 %MAILFROM% %REALRECIPS%" -100   0

In here if someone is sent an email to a person then the program tracks how
many times that email has been emailed to.  Next time when the person emails
us the program looks at the sender's counter and we add -50 for 1 hit and
-100 for 2 hits and more.  Effectively if I email someone twice they are
whitelisted.

Kami


-Original Message-
From: David Barker [mailto:dbar...@declude.com]
Sent: Thursday, February 17, 2011 9:48 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Idea for new Declude add-on


The author is John Tolmachoff of
http://www.eservicesforyou.com/products/autowhite.html

-Original Message-
From: Kamran Razvan [mailto:kami.l...@clickandpledge.com]
Sent: Thursday, February 17, 2011 9:41 AM
To: Declude.JunkMail@declude.com
Subject: FW: [Declude.JunkMail] Idea for new Declude add-on

Dave,

This program is the exact behavior that autowhite had and one that we are
using now.  Unfortunately I don't remember who had written it.  Anyone
remembers?

The program works beautifully.  Every time I sent an email the person's
email address is added a negative weight.  We use it in a combo filter and
whitelist the person in all future emails.

I know the author decided not to work on it anymore but we have been using
it for years.

Regards,
Kami



-Original Message-
From: David Barker [mailto:dbar...@declude.com]
Sent: Thursday, February 17, 2011 8:49 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Idea for new Declude add-on


Great idea Dave thanks. Question. If a user emails a recipient in what
scenario would we not want to whitelist the recipients address ?

-Original Message-
From: Dave Beckstrom [mailto:db...@atving.com]
Sent: Thursday, February 17, 2011 8:45 AM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Idea for new Declude add-on



I have an idea for something I think would be a useful add-on for declude. 

Every time someone sends an outbound SMTP email to someone, the add-on would
add an entry to a filter giving the recipient's "to" address a weight of
minus one.  Therefore, giving the recipient a credit.  Any time the
recipient sends an email to my server, minus one gets subtracted from the
total score of their email.

If a user on my server sends a second email to the same recipient, another
minus one credit is added to the filter.  Now that recipient has a credit of
minus two.

The add-on would be configurable to limit the maximum credit a single
address could reach.  It would also have an exclusion ability where you
could enter a list of email addresses that would never receive any credit.

The idea being that the more frequently you email someone, the less likely
that email from them would be spam.

I know some will argue that "from" addresses can be forged and that perhaps
its not a good idea to give credit based on a "from" address.  But its not
very often at all I ever receive a spam that came from a friend's forged
"from" address.  I think something along the lines of this type of system
could be useful.





---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just

RE: [Declude.JunkMail] Idea for new Declude add-on

[Dave Beckstrom]

I couldn't think of any specific instances where you would not want to
whitelist a recipient's address.  Obviously nobody should be emailing a
spammer.

I was tryng to cover the bases for those instances that exist but can't be
foreseen yet.

Pondering it a little more  -- one type of an exclusion that would be needed
is if you had a forum where users register and your server sends out a
confirmation/activation email.  Or you send an email as a result of someone
submitting a contact form on your site. In those cases, the "from" address
for your forum or "from" address from your submission form would be the
excluder so that no recipient of email from those automated systems would be
given any credit.



-Original Message-
From: David Barker [mailto:dbar...@declude.com]
Sent: Thursday, February 17, 2011 7:49 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Idea for new Declude add-on

Great idea Dave thanks. Question. If a user emails a recipient in what
scenario would we not want to whitelist the recipients address ?

-----Original Message-
From: Dave Beckstrom [mailto:db...@atving.com]
Sent: Thursday, February 17, 2011 8:45 AM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Idea for new Declude add-on



I have an idea for something I think would be a useful add-on for declude. 

Every time someone sends an outbound SMTP email to someone, the add-on would
add an entry to a filter giving the recipient's "to" address a weight of
minus one.  Therefore, giving the recipient a credit.  Any time the
recipient sends an email to my server, minus one gets subtracted from the
total score of their email.

If a user on my server sends a second email to the same recipient, another
minus one credit is added to the filter.  Now that recipient has a credit of
minus two.

The add-on would be configurable to limit the maximum credit a single
address could reach.  It would also have an exclusion ability where you
could enter a list of email addresses that would never receive any credit.

The idea being that the more frequently you email someone, the less likely
that email from them would be spam.

I know some will argue that "from" addresses can be forged and that perhaps
its not a good idea to give credit based on a "from" address.  But its not
very often at all I ever receive a spam that came from a friend's forged
"from" address.  I think something along the lines of this type of system
could be useful.





---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.






---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Idea for new Declude add-on

[Dave Beckstrom]

I have an idea for something I think would be a useful add-on for declude. 

Every time someone sends an outbound SMTP email to someone, the add-on would
add an entry to a filter giving the recipient's "to" address a weight of
minus one.  Therefore, giving the recipient a credit.  Any time the
recipient sends an email to my server, minus one gets subtracted from the
total score of their email.

If a user on my server sends a second email to the same recipient, another
minus one credit is added to the filter.  Now that recipient has a credit of
minus two.

The add-on would be configurable to limit the maximum credit a single
address could reach.  It would also have an exclusion ability where you
could enter a list of email addresses that would never receive any credit.

The idea being that the more frequently you email someone, the less likely
that email from them would be spam.

I know some will argue that "from" addresses can be forged and that perhaps
its not a good idea to give credit based on a "from" address.  But its not
very often at all I ever receive a spam that came from a friend's forged
"from" address.  I think something along the lines of this type of system
could be useful.





---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Filter for this?

[Dave Beckstrom]

Andrew,

I'm running invURIBL.  It gave a weight of 10:

X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 2/14/2011 3:50:50 PM
X-invURIBL-Weight: 10
X-invURIBL-Range: HIGH

That only brought it up to 15 and my hold weight is 20.

My declude is a number of years old.  I don't believe I have the zero day.

My problem is I have so little time to work with Declude.  By the time the
spam gets bad enough that I can't put up with it and need to tweak my
filters again, I've forgotten so much its like starting over.  

 

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck,
Andrew
Sent: Monday, February 14, 2011 5:30 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Filter for this?

Dave, the target IP address is a really old spammer block according to
SpamHaus:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL79159
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL79123

Do you have a URL scanner? It should have picked off this one sample.
Besides the Zero Day component of Declude, there's a de facto add-on that's
used by the denizens of this list, but I forget what it's called.

FWIW, no, I'm not seeing this particular domain or destination IP in the
last 45 days.


Andrew.

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, February 14, 2011 2:07 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Filter for this?


 
Anyone put together a filter for this?
 
http://en.marriedcomb.com/LsyRi_xEczPyAVLP-6RXIfBHyQKlpLloCVCdRiUQ
j80C
BkFIRsplDbsWp-UntnvcapomnOB34oekSnZlNAVa7SoEUKZSJf38K79Yq79zOT6qBNCTYzL5
B1Gh
PqJ5DauCbtWAubdB8kPQoicfAlkPQyyuRB1333A1YAWUvJhpVPksIVa9IVTj5SmfPzJBU23B
tNGm
LCRUhh-f7TYUkYiSFW1IMFkxyEq98JftNph7Um4mcdzmcpYAh62VI94SDrIhDY8g2Zo-QorZ
UUZW
rwG41Sj6iKchOqqfHLTYKLmL7s5oJBjZ7EZSuBU7CFX8LvTo0pB6qyyUQ4mp35lBXcOsZ1zH
mnGL
Bl_htJf1VGFa4gsO7P6mFVZB3QNk3TPUYWaoBR5AtFjxfs3mv11TZ60J6w" 

Getting dozens of these a day coming through.





---
[This E-mail was scanned by Declude]


---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to imail...@declude.com, and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.
 

We are pleased to announce that Bentall LP and Kennedy Associates Real
Estate Counsel, LP joined forces on December 1, 2010. To learn more, visit:
www.bentallkennedy.com

 
Nous avons le plaisir de vous annoncer que Bentall LP et Kennedy Associates
Real Estate Counsel LP se sont associees le 1er decembre 2010. Pour en
savoir plus, rendez-vous a www.bentallkennedy.com

 
This message (and any associated files) may contain confidential,
proprietary and/or privileged material and access to these materials by
anyone other than the intended recipient is unauthorized. Unauthorized
recipients are required to maintain confidentiality. Any review,
retransmission, dissemination or other use of these materials by persons or
entities other than the intended recipient is prohibited and may be
unlawful. If you have received this message in error, please notify us
immediately and destroy the original.

 
Ce message et tout document qui y est eventuellement joint peuvent contenir
de l'information confidentielle ou exclusive. L'acces a cette information
par quiconque autre que le destinataire designe en est donc interdit. Les
personnes ou les entites non autorisees doivent respecter la confidentialite
de cette information. La lecture, la retransmission, la communication ou
toute autre utilisation de cette information par une personne ou une entite
non autorisee est strictement interdite. Si vous avez recu ce message par
erreur, veuillez nous en aviser immediatement et le detruire.


---
[This E-mail was scanned by Declude]


---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to imail...@declude.com, and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.






---
[This E-mail was scanned by Declude]


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Filter for this?

[Dave Beckstrom]

 
Anyone put together a filter for this?
 
http://en.marriedcomb.com/LsyRi_xEczPyAVLP-6RXIfBHyQKlpLloCVCdRiUQj80C
BkFIRsplDbsWp-UntnvcapomnOB34oekSnZlNAVa7SoEUKZSJf38K79Yq79zOT6qBNCTYzL5B1Gh
PqJ5DauCbtWAubdB8kPQoicfAlkPQyyuRB1333A1YAWUvJhpVPksIVa9IVTj5SmfPzJBU23BtNGm
LCRUhh-f7TYUkYiSFW1IMFkxyEq98JftNph7Um4mcdzmcpYAh62VI94SDrIhDY8g2Zo-QorZUUZW
rwG41Sj6iKchOqqfHLTYKLmL7s5oJBjZ7EZSuBU7CFX8LvTo0pB6qyyUQ4mp35lBXcOsZ1zHmnGL
Bl_htJf1VGFa4gsO7P6mFVZB3QNk3TPUYWaoBR5AtFjxfs3mv11TZ60J6w" 

Getting dozens of these a day coming through.





---
[This E-mail was scanned by Declude]


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Blocking on no REV DNS?

[Dave Beckstrom]

 
Headers from a typical email with missing reverse DNS:
 
Received: from UnknownHost [208.94.247.117] by xx
 
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA
208.94.247.117 with no reverse DNS entry.
 
 
What is the best way to filter on no reverse DNS?

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, February 14, 2011 10:49 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Blocking on no REV DNS?



I suppose it depends on your clients. I host mostly small to medium business
sites, bounce on reverse DNS at my gateway and only get a question once or
twice a year, where I assist some clueless Email Admin about contacting his
ISP to set up the proper reverse DNS.

 

I explain to them that we are in line with AOL, Hotmail, Google and others
that have policies against missing Reverse DNS to show that he may have
FOUND the problem by trying to email US, but that in fact, his emails to
most places on the Internet are being silently deleted, held or flagged as
SPAM - without giving him a warning as WE do.

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, February 14, 2011 9:22 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Blocking on no REV DNS?

 

Years ago it was recommended not to block mail on a missing reverse DNS
because many legitimate mail servers were mis-configured.  

 

We know services like AOL block on missing DNS.  Just wondering, do you
block on missing REV DNS?  If not, do you at least add weight?  

 

I'm getting to the point where if a mail server doesn't have a reverse DNS
then I'm thinking the heck with them


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Blocking on no REV DNS?

[Dave Beckstrom]

Years ago it was recommended not to block mail on a missing reverse DNS
because many legitimate mail servers were mis-configured.  
 
We know services like AOL block on missing DNS.  Just wondering, do you
block on missing REV DNS?  If not, do you at least add weight?  
 
I'm getting to the point where if a mail server doesn't have a reverse DNS
then I'm thinking the heck with them



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Good filter?

[Dave Beckstrom]

Would checking for the DOT, followed by one or more characters, at the end
of the long string serve to eliminate the false positives?  

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, October 18, 2010 10:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?



Does the source have a space or different character after the end of the
string ? we could look for a space. or a > or " 

 

(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[>"]))

 

David

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 11:50 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?

 

Hi David,

I think it will FP though -
Here is an example:
http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120
ed17cc24cd3567fd4396424914.gif
with some tweaking I think it could be very effective though

We have been wacking the guy w/sniffer General and dnsbl tests.  I cannot
tell you which ones of the latter as they are not shown in my logs.


-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "David Barker" 
Sent: Monday, October 18, 2010 10:17 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?

Provided the prefix to these is either www or http:// the regex will trigger
on these

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, October 18, 2010 10:02 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?

 

ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1

cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343

 

 

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Good filter?

Post a few of his/her base domains - just to be sure we will be taking about
the same guy..

Thanks

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "Dave Beckstrom" 
Sent: Monday, October 18, 2010 9:38 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?

There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent.  They all have a "/" followed by some kind of home-grown
obfuscation which his server recognizes:   

 

 <http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343>
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 

 

Anyone come up with a clever filter for this?

 

Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains.  Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?

 

 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
[This E-mail was scanned by Declude] 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "u

RE: [Declude.JunkMail] Good filter?

[Dave Beckstrom]

ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1
cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
 

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Good filter?


Post a few of his/her base domains - just to be sure we will be taking about
the same guy..

Thanks

-Nick



MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm



  _  

From: "Dave Beckstrom" 
Sent: Monday, October 18, 2010 9:38 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?


There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent.  They all have a "/" followed by some kind of home-grown
obfuscation which his server recognizes:   
 
 <http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343>
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 
 
Anyone come up with a clever filter for this?
 
Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains.  Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?
 
 

---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Good filter?

[Dave Beckstrom]

Here is another one:
 
gseo35.pennyonello.info/132694139742636427312a49fad18963925fb
 
I've deleted all the previous and hopefully won't get any more after
implmenting the filter David sent.

I would still like to be able to block URIs by the DNS server or Registrar
used.  There may be some legitimate domains registered through
domainsite.com but I've not seen any.
 

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Good filter?


Post a few of his/her base domains - just to be sure we will be taking about
the same guy..

Thanks

-Nick



MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm



  _  

From: "Dave Beckstrom" 
Sent: Monday, October 18, 2010 9:38 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?


There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent.  They all have a "/" followed by some kind of home-grown
obfuscation which his server recognizes:   
 
 <http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343>
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 
 
Anyone come up with a clever filter for this?
 
Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains.  Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?
 
 

---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Good filter?

[Dave Beckstrom]

There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent.  They all have a "/" followed by some kind of home-grown
obfuscation which his server recognizes:   
 
 
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 
 
Anyone come up with a clever filter for this?
 
Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains.  Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?
 
 



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Server AV Scanner

[Dave Beckstrom]

Hi Everyone,

I sold off the lion's share of my web business 3 years.  I still host a few
sites for some people who have been with me for a really long time.  But I
don't have the revenue I once did and hence can't afford to renew Declude
(I'm running an older version) or buy any software.

I used to use F-prot (command line version) to virus scan email at the
server via Declude.  They no longer offer the signature files for that
version of F-prot. 

I haven't found anything in my searches so I thought I'd ask here -- is
there a free antivirus scanner available that will run on 2003 server and
which I could tie into Declude?

Thanks,

Dave


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Regex to block this?

[Dave Beckstrom]

Thanks.   David's regex worked well.  I'll give the fine tuning a try.

Also, all of this spammer's domains are in DNS servers ns1.domainsite.com -
ns4.domainsite.com.  



> I might fine tune it a bit.
> I've only seen length 37 and 38 characters after the tld
> It is only lower case hex codes so you can exclude (g-z)
> I've seen lots of .info and a few .nets as additional tld.
> Very active spammer here
> 
> (?i:href=.+\.(com|info|net)/[a-f0-9]{37,38}">)
> 
> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
> Beckstrom
> Sent: Tuesday, July 20, 2010 8:00 AM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Regex to block this?
> 
> 
> I'm getting hit by one spammer who manages to get through most of my
> filters.  His spam consistently uses the format of:
> 
> 
href="http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5";
> >
> http://gcc128.blinksroads.com/images/157286c08.jpg";
> 
> How would I write a regex that would look for .com/  followed by a string
of
> garbage with no .htm or other web extension on the end?
> 
> 
> 
> 
> 
> 
> 
> 
> ---
> [This E-mail scanned for viruses by Declude]
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> [This E-mail scanned for viruses by Declude]
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.




---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Regex to block this?

[Dave Beckstrom]

I'm getting hit by one spammer who manages to get through most of my
filters.  His spam consistently uses the format of:

http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5";>
http://gcc128.blinksroads.com/images/157286c08.jpg";

How would I write a regex that would look for .com/  followed by a string of
garbage with no .htm or other web extension on the end?








---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Blocking domains by DNS server?

[Dave Beckstrom]

There is a pervasive spammer out there, where the common denominator in the
jerk's spam is the fact that all of the domains in the body of the email are
served by DNS servers NS1.domainsite.com - NS4.domainsite.com.

I want to block all email where a link in the body is resolved by one of
those DNS servers.  I haven't looked at my invURIBL config for some time,
but isn't that one of the things that it can do?  If so, how do I set that
up?   Otherwise, is there another way to achieve the above?

 





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] PowerMTA

[Dave Beckstrom]

I'm seeing a lot of spam with this in the headers:

PowerMTA(TM) v3.0c2


Is powerMTA mainly a spam tool or do legitimate mailers use it too? Just
trying to decide if I can add some weight if that header exists.

Also of late I'm seeing a lot of spam containing ssl in part of the domain
name:

Return-Path:  Wed Jan 13 15:03:22 2010
Received: from ssl.realnightlywork.com [173.45.68.45] by

Anyone adding weight if the domain contains ssl?





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Testing Spamcop blocked?

[Dave Beckstrom]

Does the spamblock IP4R always return "blocked" if an IP is found or can it
return something less severe than blocked?  Just wondering if there is a way
to hold on "blocked" and warn on a less severe hit. 





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] 3rd party tool to call registrar/whois lookup?

[Dave Beckstrom]

Much of the spam we receive contains embedded links for, or from, domains
registered within the last 2 - 3 weeks.  

Is there a 3rd party utility that could be called from Declude which would
check the domain registration date and either block or add weight to any
domain registered within the last 30 (or a user specified range) days?






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Senderbase

[Dave Beckstrom]

I would like to use senderbase with Declude.  

Does anyone happen to know if there is a way to extract the entire list of
IPs with a POOR reputation from senderbase?  I know that it can be done vie
export but it seems to be limited to certain IP ranges at a time.

Does senderbase have any kind of an API or XML feed?






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Mailfrom Processing

[Dave Beckstrom]

Does the ANYWHERE filter specification not include HEADERS?  ANYWHERE should
include every testable location including HEADERS, correct?


I'm getting really disgusted.  I set up this filter:

ANYWHERE6   PCRE
(?i:as.{0,2}seen.{0,2}on.{0,2}(?:oprah|60.{0,2}minutes))


I tested the filter and "AsSeenOn 60-Minutes" triggers a match in my regex
tester.


Yet the following email (which contained the text in "FROM") did not trigger
the spam filter.  



Return-Path:  Sat Feb 21 10:28:21 2009
Received: from d3.92.b6.static.xlhost.com [207.182.146.211] by xxx.xxx.com
with SMTP;
   Sat, 21 Feb 2009 10:28:21 -0600
Reply-To: 
In-Reply-To: 20090221112930.gnforzb...@mx4.fivedaybox.com.3653
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="_=_extPart_000_0097_b7aff28c.b7aff28c"
Content-class: urn:content-classes:message
Return-path:  
Subject: [SPAM]- Score (17)RE: The MOST POTENT Anti-Aging Supplement
Available Anywhere
Date: Sat, 21 Feb 2009 11:29:30 -0500
Message-Id: <20090221112930.gnforzb...@mx4.fivedaybox.com>
Thread-Topic: RE: The MOST POTENT Anti-Aging Supplement Available Anywhere


From: "AsSeenOn 60-Minutes"



To: 
Importance: Normal
X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 2/21/2009 10:28:31 AM
X-invURIBL-Weight: 9
X-invURIBL-Range: MEDIUM
X-RBL-Warning: CBL: "Blocked - see
http://cbl.abuseat.org/lookup.cgi?ip=207.182.146.211";
X-RBL-Warning: SPAMCOP: "Blocked - see
http://www.spamcop.net/bl.shtml?207.182.146.211";
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
[4000100e].
X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.
X-RBL-Warning: INV-URIBL: Message failed INV-URIBL: 9.
X-Declude-Sender: stopquh...@fivedaybox.com [207.182.146.211]
X-Declude-RefID: 
X-Note: 
X-Note: Spam Score: [17]
X-Note: Scan Time: 10:28:34 on 21 Feb 2009
X-Note: Spool File: 369856000891.eml
X-Note: Server Name: mx4.fivedaybox.com
X-Note: SMTP Sender: stopquh...@fivedaybox.com
X-Note: Reverse DNS & IP: d3.92.b6.static.xlhost.com [207.182.146.211]
X-Note: Recipient(s): x...@xxx.com
X-Note: Country Chain: [ARIN Unlisted]->destination
X-Note: Failed Weights: CATCHALLMAILS [0], CBL [6], SPAMCOP [7], SPAMHEADERS
[3], SPFPASS [0], INV-URIBL [9], WEIGHT10 [10], WEIGHT14 [14]
X-Note: 





> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
> Barker
> Sent: 2009-02-11 08:29
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Mailfrom Processing
> 
> If you want to record the name of the sender (according to the SMTP
> Envelope) in the E-mail headers, you can use the XSENDER configuration
> option. To do this, add a line to the global.cfg file as:
> 
> XSENDER  ON
> 
> Regular expressions are very different and powerful because they give the
> ability to look for patterns rather than straight matches.
> 
> 
> David Barker
> VP Operations Declude
> Your Email security is our business
> 978.499.2933 office
> 978.988.1311 fax
> dbar...@declude.com
> 
> 
> 
> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
> Beckstrom
> Sent: Monday, February 09, 2009 5:18 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Mailfrom Processing
> 
> David,
> 
> I don't have an X-Declude-Sender configured.  I'll add that.
> 
> Okay, so I already have "Headers contains John Cummuta" or something along
> those lines set up.  How would the regular expression be any different?
Is
> it more effective because of the wild card?
> 
> 
> 
> > -Original Message-
> > From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of
David
> > Barker
> > Sent: 2009-02-09 16:03
> > To: declude.junkmail@declude.com
> > Subject: RE: [Declude.JunkMail] Mailfrom Processing
> >
> > This may not be the actual sender, the actual sender is what is found in
> the
> > envelope or q*.smd (IM) or *.eml (SM) and found in the X-Declude-Sender
> > line.
> >
> > If you need a filter the best way would be to use the regular
expressions
> > such as:
> >
> > HEADERS 0   PCRE(?im:From:.*John Cummuta")
> >
> >
> > David Barker
> > VP Operations Declude
> > Your Email security is our business
> > 978.499.2933 office
> > 978.988.1311 fax
> > dbar...@declude.com
> >
> >
> >
> >
> > -Original Message-
> > From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
> > Beckstrom
> > Sent: Monday, February 09, 2009 4:53 PM
> > To: declude.

RE: [Declude.JunkMail] Spam Score?

[Dave Beckstrom]

David,

Never mind.  I found in the logs where those tests you mentioned are giving
the email a credit (negative weight) and thus the total weight is adjusted
accordingly.

I have IPNOTINMX and NOLEGITCONTENT set up under HIDETESTS which explains
why the confusion on the total score.

BTW -- I would still like to see some people post their ip4r tests to the
list.  I have a hunch I'm missing some valuable tests in my list.

Thanks,

Dave

> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
> Beckstrom
> Sent: 2009-02-19 08:56
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Spam Score?
> 
> David,
> 
> Here is the test:
> 
> CBL   IP4Rcbl.abuseat.org 127.0.0.2   6   0
> 
> According to these headers:
> 
> X-RBL-Warning: CBL: "Blocked - see
> http://cbl.abuseat.org/lookup.cgi?ip=65.60.20.131";
> X-Note: Failed Weights: CBL [6], SPAMHEADERS [3], SPFPASS [0]
> 
> Wasn't the test triggered and a score of 6 should have been added to the
> total score?
> 
> 
> 
> > -Original Message-
> > From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of
David
> > Barker
> > Sent: 2009-02-19 08:37
> > To: declude.junkmail@declude.com
> > Subject: RE: [Declude.JunkMail] Spam Score?
> >
> > Dave,
> >
> > The last column of a test is the value added or subtracted if the test
is
> > NOT triggered. IF a test is NOT triggered it will not show up in the
> header.
> > The most common that are used like this are:
> >
> > IPNOTINMX
> > NOLEGITCONTENT
> > FROMNOMATCH
> >
> > David Barker
> > VP Operations Declude
> > Your Email security is our business
> > 978.499.2933 office
> > 978.988.1311 fax
> > dbar...@declude.com
> >
> >
> >
> > -Original Message-
> > From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
> > Beckstrom
> > Sent: Thursday, February 19, 2009 9:33 AM
> > To: declude.junkmail@declude.com
> > Subject: [Declude.JunkMail] Spam Score?
> >
> >
> > Something is happening with our spam score that I don't quite
understand.
> > If you look below at the (sanitized) email headers you'll see that the
CBL
> > test scored 6 and spamheaders scored 3 and yet the final score for this
> > email was Spam Score: [1]
> >
> > Shouldn't the score have been 9?
> >
> > On another note, if the CBL ip4rl test shows "blocked" what is the best
> way
> > to hold this email?  I assume that I would just up the weighting from 6
to
> > my hold level?  Do you guys hold email based only on an rbl response of
> > "blocked" or do you require additional tests to fail?
> >
> > If a few folks would like to post their ip4r tests from the global.cfg I
> > think that would be really helpful to a lot of people.  I know that my
> > global.cfg is a good number of years old and the ip4r tests are not
tests
> > that I've updated in a long time.  Seeing what others are using would
help
> > me identify if I have tests I'm not using but should be using and vice
> > versa.
> >
> > Thanks,
> >
> > Dave
> >
> >
> >
> >
> > Return-Path:  Thu Feb 19
03:29:48
> > 2009
> > Received: from server1.taxhelpis.com [65.60.20.131] ..com with
> SMTP;
> >Thu, 19 Feb 2009 03:29:48 -0600
> > Reply-To: 
> > In-Reply-To: 20090219033057.ggnppl...@mx2.bestlevelterm.com.1329
> > MIME-Version: 1.0
> > Content-Type: multipart/alternative;
> >boundary="_=_extPart_000_0097_a3d0dac.a3d0dac"
> > Content-class: urn:content-classes:message
> > Return-path:  
> > Subject:Vehicle Warranty - 60% OFF Dealers Price
> > Date: Thu, 19 Feb 2009 03:30:57 -0600
> > Message-Id: <20090219033057.ggnppl...@mx2.bestlevelterm.com>
> > Thread-Topic: RE: This email can save your life
> > From: "Continued Auto Coverage"
> > To: 
> > Importance: Normal
> > X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 2/19/2009 3:29:58 AM
> > X-invURIBL-Weight: 0
> > X-invURIBL-Range: CLEAN
> > X-RBL-Warning: CBL: "Blocked - see
> > http://cbl.abuseat.org/lookup.cgi?ip=65.60.20.131";
> > X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
> > [4000100e].
> > X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.
> > X-Declude-Sender: yourautopolicyvxw...@bestlevelterm.com [65.60.20.131]
> > X-Declude-RefID:
> > X-Note: ==

RE: [Declude.JunkMail] Spam Score?

[Dave Beckstrom]

David,

Here is the test:

CBL IP4Rcbl.abuseat.org 127.0.0.2   6   0

According to these headers:

X-RBL-Warning: CBL: "Blocked - see
http://cbl.abuseat.org/lookup.cgi?ip=65.60.20.131";
X-Note: Failed Weights: CBL [6], SPAMHEADERS [3], SPFPASS [0]

Wasn't the test triggered and a score of 6 should have been added to the
total score?



> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
> Barker
> Sent: 2009-02-19 08:37
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Spam Score?
> 
> Dave,
> 
> The last column of a test is the value added or subtracted if the test is
> NOT triggered. IF a test is NOT triggered it will not show up in the
header.
> The most common that are used like this are:
> 
> IPNOTINMX
> NOLEGITCONTENT
> FROMNOMATCH
> 
> David Barker
> VP Operations Declude
> Your Email security is our business
> 978.499.2933 office
> 978.988.1311 fax
> dbar...@declude.com
> 
> 
> 
> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
> Beckstrom
> Sent: Thursday, February 19, 2009 9:33 AM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Spam Score?
> 
> 
> Something is happening with our spam score that I don't quite understand.
> If you look below at the (sanitized) email headers you'll see that the CBL
> test scored 6 and spamheaders scored 3 and yet the final score for this
> email was Spam Score: [1]
> 
> Shouldn't the score have been 9?
> 
> On another note, if the CBL ip4rl test shows "blocked" what is the best
way
> to hold this email?  I assume that I would just up the weighting from 6 to
> my hold level?  Do you guys hold email based only on an rbl response of
> "blocked" or do you require additional tests to fail?
> 
> If a few folks would like to post their ip4r tests from the global.cfg I
> think that would be really helpful to a lot of people.  I know that my
> global.cfg is a good number of years old and the ip4r tests are not tests
> that I've updated in a long time.  Seeing what others are using would help
> me identify if I have tests I'm not using but should be using and vice
> versa.
> 
> Thanks,
> 
> Dave
> 
> 
> 
> 
> Return-Path:  Thu Feb 19 03:29:48
> 2009
> Received: from server1.taxhelpis.com [65.60.20.131] ..com with
SMTP;
>Thu, 19 Feb 2009 03:29:48 -0600
> Reply-To: 
> In-Reply-To: 20090219033057.ggnppl...@mx2.bestlevelterm.com.1329
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>boundary="_=_extPart_000_0097_a3d0dac.a3d0dac"
> Content-class: urn:content-classes:message
> Return-path:  
> Subject:Vehicle Warranty - 60% OFF Dealers Price
> Date: Thu, 19 Feb 2009 03:30:57 -0600
> Message-Id: <20090219033057.ggnppl...@mx2.bestlevelterm.com>
> Thread-Topic: RE: This email can save your life
> From: "Continued Auto Coverage"
> To: 
> Importance: Normal
> X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 2/19/2009 3:29:58 AM
> X-invURIBL-Weight: 0
> X-invURIBL-Range: CLEAN
> X-RBL-Warning: CBL: "Blocked - see
> http://cbl.abuseat.org/lookup.cgi?ip=65.60.20.131";
> X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
> [4000100e].
> X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.
> X-Declude-Sender: yourautopolicyvxw...@bestlevelterm.com [65.60.20.131]
> X-Declude-RefID:
> X-Note: 
> X-Note: Spam Score: [1]
> X-Note: Scan Time: 03:30:01 on 19 Feb 2009
> X-Note: Spool File: 369855951432.eml
> X-Note: Server Name: mx2.bestlevelterm.com
> X-Note: SMTP Sender: yourautopolicyvxw...@bestlevelterm.com
> X-Note: Reverse DNS & IP: server1.taxhelpis.com [65.60.20.131]
> X-Note: Recipient(s): 
> X-Note: Country Chain: [ARIN Unlisted]->destination
> X-Note: Failed Weights: CBL [6], SPAMHEADERS [3], SPFPASS [0]
> X-Note: 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spam Score?

[Dave Beckstrom]

Something is happening with our spam score that I don't quite understand.
If you look below at the (sanitized) email headers you'll see that the CBL
test scored 6 and spamheaders scored 3 and yet the final score for this
email was Spam Score: [1]

Shouldn't the score have been 9?

On another note, if the CBL ip4rl test shows "blocked" what is the best way
to hold this email?  I assume that I would just up the weighting from 6 to
my hold level?  Do you guys hold email based only on an rbl response of
"blocked" or do you require additional tests to fail?  

If a few folks would like to post their ip4r tests from the global.cfg I
think that would be really helpful to a lot of people.  I know that my
global.cfg is a good number of years old and the ip4r tests are not tests
that I've updated in a long time.  Seeing what others are using would help
me identify if I have tests I'm not using but should be using and vice
versa.

Thanks,

Dave




Return-Path:  Thu Feb 19 03:29:48
2009
Received: from server1.taxhelpis.com [65.60.20.131] ..com with SMTP;
   Thu, 19 Feb 2009 03:29:48 -0600
Reply-To: 
In-Reply-To: 20090219033057.ggnppl...@mx2.bestlevelterm.com.1329
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="_=_extPart_000_0097_a3d0dac.a3d0dac"
Content-class: urn:content-classes:message
Return-path:  
Subject:Vehicle Warranty - 60% OFF Dealers Price 
Date: Thu, 19 Feb 2009 03:30:57 -0600
Message-Id: <20090219033057.ggnppl...@mx2.bestlevelterm.com>
Thread-Topic: RE: This email can save your life
From: "Continued Auto Coverage"
To: 
Importance: Normal
X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 2/19/2009 3:29:58 AM
X-invURIBL-Weight: 0
X-invURIBL-Range: CLEAN
X-RBL-Warning: CBL: "Blocked - see
http://cbl.abuseat.org/lookup.cgi?ip=65.60.20.131";
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
[4000100e].
X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.
X-Declude-Sender: yourautopolicyvxw...@bestlevelterm.com [65.60.20.131]
X-Declude-RefID: 
X-Note: 
X-Note: Spam Score: [1]
X-Note: Scan Time: 03:30:01 on 19 Feb 2009
X-Note: Spool File: 369855951432.eml
X-Note: Server Name: mx2.bestlevelterm.com
X-Note: SMTP Sender: yourautopolicyvxw...@bestlevelterm.com
X-Note: Reverse DNS & IP: server1.taxhelpis.com [65.60.20.131]
X-Note: Recipient(s): 
X-Note: Country Chain: [ARIN Unlisted]->destination
X-Note: Failed Weights: CBL [6], SPAMHEADERS [3], SPFPASS [0]
X-Note: 




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Regex

[Dave Beckstrom]

David,

Thanks.  For the life of me I did not see that extra period.

> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
> Barker
> Sent: 2009-02-18 12:39
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Regex
> 
> I would say you have it pretty much down. If I did it I would have this
> 
> (?i:as.{0,2}seen.{0,2}on.{0,2}(?:oprah|60.{0,2}minutes))
> 
> You have an extra . between seen and on
> 
> David B
> 
> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
> Beckstrom
> Sent: Wednesday, February 18, 2009 1:28 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Regex
> 
> 
> Trying to filter on:
> 
> Asseenon Oprah
> As seen on Oprah
> As seen on 60 minutes
> Asseenon 60 minutes
> As seen on 60-minutes
> 
> This regex matches on, for example, "asseen on 60 minutes" but does not
> match on "asseenon 60 minutes"  What did I do wrong?
> 
>  Is there a better way to code this?
> 
> ANYWHERE  3 PCRE (?i:as.{0,2}seen.{0,2}.on.{0,2}(?:oprah|60.minutes))
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Regex

[Dave Beckstrom]

Trying to filter on:

Asseenon Oprah
As seen on Oprah
As seen on 60 minutes
Asseenon 60 minutes
As seen on 60-minutes

This regex matches on, for example, "asseen on 60 minutes" but does not
match on "asseenon 60 minutes"  What did I do wrong? 

 Is there a better way to code this?

ANYWHERE3 PCRE (?i:as.{0,2}seen.{0,2}.on.{0,2}(?:oprah|60.minutes))




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Mailfrom Processing

[Dave Beckstrom]

David,

I don't have an X-Declude-Sender configured.  I'll add that.

Okay, so I already have "Headers contains John Cummuta" or something along
those lines set up.  How would the regular expression be any different?  Is
it more effective because of the wild card?



> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
> Barker
> Sent: 2009-02-09 16:03
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Mailfrom Processing
> 
> This may not be the actual sender, the actual sender is what is found in
the
> envelope or q*.smd (IM) or *.eml (SM) and found in the X-Declude-Sender
> line.
> 
> If you need a filter the best way would be to use the regular expressions
> such as:
> 
> HEADERS   0   PCRE(?im:From:.*John Cummuta")
> 
> 
> David Barker
> VP Operations Declude
> Your Email security is our business
> 978.499.2933 office
> 978.988.1311 fax
> dbar...@declude.com
> 
> 
> 
> 
> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
> Beckstrom
> Sent: Monday, February 09, 2009 4:53 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Mailfrom Processing
> 
> 
> What filter will trigger on the words "John Cummuta" when the from address
> is formatted like:
> 
> From: "John Cummuta" 
> 
> 
> Neither the mailfrom or headers filters are triggering on this.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Mailfrom Processing

[Dave Beckstrom]

What filter will trigger on the words "John Cummuta" when the from address
is formatted like:

From: "John Cummuta" 


Neither the mailfrom or headers filters are triggering on this.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Mailfrom Processing

[Dave Beckstrom]

Here is a snippet of an email header for an email received:

Return-Path:  Mon Feb 02 16:35:28 2009
Received: from mail.clockpleas.com [64.235.54.175] by xxx.xxx.com with SMTP;
   Mon, 2 Feb 2009 16:35:28 -0600
From: "J. Cummuta" 
To: 
Subject: Even your house is paid off
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii;
Content-Transfer-Encoding: 8bit

The actual email address is always changing.  However,  "J. Cummuta" in the
FROM address seems pretty consistent.  

If MAILFROM won't catch these, shouldn't the HEADERS test catch these?





> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
> Barker
> Sent: 2009-01-05 15:25
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Mailfrom Processing
> 
> Declude looks at the MAILFROM in the envelope (*.hdr or q*.smd) and
matches
> just on the email address.
> 
> 
> David Barker
> VP Operations Declude
> Your Email security is our business
> 978.499.2933 office
> 978.988.1311 fax
> dbar...@declude.com
> 
> 
> 
> -Original Message-
> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
> Beckstrom
> Sent: Monday, January 05, 2009 4:18 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Mailfrom Processing
> 
> 
> 
> I have a question about the MAILFROM processing.   Does this look at the
> display name too or just at the actual email address?
> 
> I was trying to block the Loud N Clear ads by referencing the display name
> because it seemed to be pretty consistent while the email address itself
> didn't change.  I set up the following and it didn't appear to work:
> 
> MAILFROM  0   containsloudandclear
> 
> 
> Is the only way to filter on the display name in the from address to use
the
> HEADERS filter?
> 
> Thanks,
> 
> Dave
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Mailfrom Processing

[Dave Beckstrom]

I have a question about the MAILFROM processing.   Does this look at the
display name too or just at the actual email address?

I was trying to block the Loud N Clear ads by referencing the display name
because it seemed to be pretty consistent while the email address itself
didn't change.  I set up the following and it didn't appear to work:
 
MAILFROM0   containsloudandclear


Is the only way to filter on the display name in the from address to use the
HEADERS filter?

Thanks,

Dave




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] BadHeaders?

[Dave Beckstrom]

David,

Thank you for the explanation. I actually wrote the code that generates the
Message-ID.  Do you happen to have a link to documentation that would show
the proper format for the Message-ID?

Thanks,

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
> Barker
> Sent: Wednesday, April 30, 2008 11:55 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] BadHeaders?
> 
> The E-mail failed the BADHEADERS test. This means the email failed with a
> violation of the RFC. This specific code indicates a incorrect Message-ID:
> in the header.
> 
> David B
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> Beckstrom
> Sent: Wednesday, April 30, 2008 12:36 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] BadHeaders?
> 
> Hi Everyone,
> 
> We have an application that generates email using Cold Fusion.  The
> application sends email to me.  The email never goes outside of our
servers.
> Declude is flagging the email as having BadHeaders:
> 
> X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
> [8004000e].
> 
> I don't have a clear understanding of what BadHeaders evaluates.  I
realize
> I can whitelist the email but what I really want to do is figure out how
to
> fix how Cold Fusion formats the email so that it does not trigger the
> BadHeaders test.  We do send email via other applications to outside users
> and so fixing this problem will help insure delivery to those people, too.
> 
> Thanks,
> 
> Dave
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] BadHeaders?

[Dave Beckstrom]

Hi Everyone,

We have an application that generates email using Cold Fusion.  The
application sends email to me.  The email never goes outside of our servers.
Declude is flagging the email as having BadHeaders:

X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
[8004000e].

I don't have a clear understanding of what BadHeaders evaluates.  I realize
I can whitelist the email but what I really want to do is figure out how to
fix how Cold Fusion formats the email so that it does not trigger the
BadHeaders test.  We do send email via other applications to outside users
and so fixing this problem will help insure delivery to those people, too.

Thanks,

Dave





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] No Reverse DNS pointer?

[Dave Beckstrom]

Hi Everyone,


I have two questions:

1) If a mail server is configured without a reverse DNS pointer, is that
enough to prevent email from reaching AOL, Yahoo, Hotmail, etc?  

2) Do you block email coming from mail servers with no reverse DNS? 

Thanks,

Dave




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] INVURIBL WEIGHT?

[Dave Beckstrom]

Hi everyone,

 

I would appreciate hearing some opinions.  How heavy are you weighing
INVURIBL?  Would half of the hold weight be too much weight?  Would you hold
on INVURIBL alone?

 

Thanks,


Dave

 


No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1389 - Release Date: 4/21/2008
8:34 AM



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Filters not triggering - David Barker

[Dave Beckstrom]

Hi David,


Let's hold off for a bit.   I just discovered that when I added the filter
you provided that it did not actually save the edit.  I'm working remotely
on the server and I'm guessing the save command never made it to the server.


Before I cry wolf I need to make sure it wasn't a stupid user error.  :)

Thanks,

Dave



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
> Barker
> Sent: Tuesday, April 08, 2008 10:48 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Filters not triggering - David Barker
> 
> Dave,
> 
> Do you have a ticket number ? if so email me so I can follow up on the
> ticket for you - this needs to be addressed with support, not on the
lists.
> 
> Thanks
> David B
> 
> -Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> Beckstrom
> Sent: Tuesday, April 08, 2008 11:32 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Filters not triggering - David Barker
> 
> Hi David,
> 
> The filter is not triggering.  That IS the issue I am reporting!  I
provided
> log snippets showing that the filter does run, but is not triggering.
This
> is the problem I'm requesting help with.
> 
> Dave
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David
> > Barker
> > Sent: Tuesday, April 08, 2008 9:11 AM
> > To: declude.junkmail@declude.com
> > Subject: RE: [Declude.JunkMail] Filters not triggering - David Barker
> >
> > The expression I gave you does match on (discount. Coupon) in 85%
> discount.
> > Coupon #zH5d
> >
> > If it is not triggering you may have a different issue. As for the
subject
> > you are describing I use the following:
> >
> >
> > SUBJECT 7   PCRE (?i:\d\d%.{0,10}
> discount.{0,10}#[a-z]{3,5})
> > BODY5   PCRE (?i:google.{3,10}pagead/iclk)
> >
> >
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> > Beckstrom
> > Sent: Monday, April 07, 2008 8:58 PM
> > To: declude.junkmail@declude.com
> > Subject: RE: [Declude.JunkMail] Filters not triggering - David Barker
> >
> > David,
> >
> > I implemented your regular expression in the filter and a spam skated
> right
> > through (filter did not trigger) with the following subject line:
> >
> > 85% discount. Coupon #zH5d
> >
> > Dave
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> David
> > > Barker
> > > Sent: Monday, April 07, 2008 2:14 PM
> > > To: declude.junkmail@declude.com
> > > Subject: RE: [Declude.JunkMail] Filters not triggering
> > >
> > > Spaces before the phrase are not used as the line is normalized. Also
> the
> > > regular CONTAINS is not case sensitive.
> > >
> > > It would be better to use
> > >
> > > SUBJECT   0   PCRE(?i:(discount|off).{0,2}Co(upon|de))
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Dave
> > > Beckstrom
> > > Sent: Monday, April 07, 2008 2:42 PM
> > > To: declude.junkmail@declude.com
> > > Subject: [Declude.JunkMail] Filters not triggering
> > >
> > > Hi Everyone.
> > >
> > > I have a filter set up to delete an email if the subject line contains
> the
> > > keyword in the filter.  For some odd reason, the filter is not
> triggering
> > > and it really has me baffled.  I could use some suggestions on this
one.
> > >
> > > The filter is called:   Filter_Subject_delete.txt
> > >
> > > Here are the relevant lines from the filter:
> > >
> > >
> > > SUBJECT   0   containsdiscount. Code
> > > SUBJECT   0   containsdiscount.Code
> > > SUBJECT   0   containsdiscount. coupon
> > > SUBJECT   0   contains discount. Coupon
> > > SUBJECT   0   containsdiscount.coupon
> > > SUBJECT   0   containsdiscount.Coupon
> > > SUBJECT   0   containsoff .code
> > >
> > > As you can see, I added some filter lines to test to see if I was
> running
> > > into an issue with the filter not triggering due to case sensitivity.
I
> > > didn't think the filters were case sensitive, but in trying to de

RE: [Declude.JunkMail] Filters not triggering - David Barker

[Dave Beckstrom]

Hi David,

The filter is not triggering.  That IS the issue I am reporting!  I provided
log snippets showing that the filter does run, but is not triggering.  This
is the problem I'm requesting help with.

Dave



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
> Barker
> Sent: Tuesday, April 08, 2008 9:11 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Filters not triggering - David Barker
> 
> The expression I gave you does match on (discount. Coupon) in 85%
discount.
> Coupon #zH5d
> 
> If it is not triggering you may have a different issue. As for the subject
> you are describing I use the following:
> 
> 
> SUBJECT   7   PCRE (?i:\d\d%.{0,10}
discount.{0,10}#[a-z]{3,5})
> BODY  5   PCRE (?i:google.{3,10}pagead/iclk)
> 
> 
> 
> 
> -Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> Beckstrom
> Sent: Monday, April 07, 2008 8:58 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Filters not triggering - David Barker
> 
> David,
> 
> I implemented your regular expression in the filter and a spam skated
right
> through (filter did not trigger) with the following subject line:
> 
> 85% discount. Coupon #zH5d
> 
> Dave
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David
> > Barker
> > Sent: Monday, April 07, 2008 2:14 PM
> > To: declude.junkmail@declude.com
> > Subject: RE: [Declude.JunkMail] Filters not triggering
> >
> > Spaces before the phrase are not used as the line is normalized. Also
the
> > regular CONTAINS is not case sensitive.
> >
> > It would be better to use
> >
> > SUBJECT 0   PCRE(?i:(discount|off).{0,2}Co(upon|de))
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> > Beckstrom
> > Sent: Monday, April 07, 2008 2:42 PM
> > To: declude.junkmail@declude.com
> > Subject: [Declude.JunkMail] Filters not triggering
> >
> > Hi Everyone.
> >
> > I have a filter set up to delete an email if the subject line contains
the
> > keyword in the filter.  For some odd reason, the filter is not
triggering
> > and it really has me baffled.  I could use some suggestions on this one.
> >
> > The filter is called:   Filter_Subject_delete.txt
> >
> > Here are the relevant lines from the filter:
> >
> >
> > SUBJECT   0 containsdiscount. Code
> > SUBJECT   0 containsdiscount.Code
> > SUBJECT   0 containsdiscount. coupon
> > SUBJECT   0 contains discount. Coupon
> > SUBJECT   0 containsdiscount.coupon
> > SUBJECT   0 containsdiscount.Coupon
> > SUBJECT   0 containsoff .code
> >
> > As you can see, I added some filter lines to test to see if I was
running
> > into an issue with the filter not triggering due to case sensitivity.  I
> > didn't think the filters were case sensitive, but in trying to debug
this
> > problem I checked to see if that was an issue or not.
> >
> >
> > My junkmail config has the following specifying to delete the spam:
> >
> > Filter_Subject_Delete   DELETE
> >
> >
> >
> >
> > Here are the headers from the spam that was not deleted:
> >
> >
> >
> >
> >
> > Return-Path: <[EMAIL PROTECTED]> Mon Apr 07 08:49:57 2008
> > Received: from 224samana75.codetel.net.do [200.88.75.224] by
my.server.com
> > with SMTP;
> >Mon, 7 Apr 2008 08:49:57 -0500
> > Message-ID: <[EMAIL PROTECTED]>
> > From: "brit luc" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Subject: [SPAM]- Score (11)81% discount. Coupon #2IJk
> > Date: Mon, 07 Apr 2008 12:34:28 +
> > MIME-Version: 1.0
> > Content-Type: multipart/alternative;
> > boundary="=_NextPart_000_0007_01C898BA.05CF202E"
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Mailer: Microsoft Outlook Express 6.00.2900.3138
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
> > X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 4/7/2008 8:50:18 AM
> > X-invURIBL-Weight: 0
> > X-invURIBL-Range: CLEAN
> > X-RBL-Warning: SPAMCOP: "Blocked - see
> > http://www.spamcop.net/bl.shtml?200.88.75.224";
> > X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail.
&

RE: [Declude.JunkMail] Filters not triggering - David Barker

[Dave Beckstrom]

David,

I implemented your regular expression in the filter and a spam skated right
through (filter did not trigger) with the following subject line:

85% discount. Coupon #zH5d

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
> Barker
> Sent: Monday, April 07, 2008 2:14 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Filters not triggering
> 
> Spaces before the phrase are not used as the line is normalized. Also the
> regular CONTAINS is not case sensitive.
> 
> It would be better to use
> 
> SUBJECT   0   PCRE(?i:(discount|off).{0,2}Co(upon|de))
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> Beckstrom
> Sent: Monday, April 07, 2008 2:42 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Filters not triggering
> 
> Hi Everyone.
> 
> I have a filter set up to delete an email if the subject line contains the
> keyword in the filter.  For some odd reason, the filter is not triggering
> and it really has me baffled.  I could use some suggestions on this one.
> 
> The filter is called:   Filter_Subject_delete.txt
> 
> Here are the relevant lines from the filter:
> 
> 
> SUBJECT   0   containsdiscount. Code
> SUBJECT   0   containsdiscount.Code
> SUBJECT   0   containsdiscount. coupon
> SUBJECT   0   contains discount. Coupon
> SUBJECT   0   containsdiscount.coupon
> SUBJECT   0   containsdiscount.Coupon
> SUBJECT   0   containsoff .code
> 
> As you can see, I added some filter lines to test to see if I was running
> into an issue with the filter not triggering due to case sensitivity.  I
> didn't think the filters were case sensitive, but in trying to debug this
> problem I checked to see if that was an issue or not.
> 
> 
> My junkmail config has the following specifying to delete the spam:
> 
> Filter_Subject_Delete DELETE
> 
> 
> 
> 
> Here are the headers from the spam that was not deleted:
> 
> 
> 
> 
> 
> Return-Path: <[EMAIL PROTECTED]> Mon Apr 07 08:49:57 2008
> Received: from 224samana75.codetel.net.do [200.88.75.224] by my.server.com
> with SMTP;
>Mon, 7 Apr 2008 08:49:57 -0500
> Message-ID: <[EMAIL PROTECTED]>
> From: "brit luc" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: [SPAM]- Score (11)81% discount. Coupon #2IJk
> Date: Mon, 07 Apr 2008 12:34:28 +
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>   boundary="=_NextPart_000_0007_01C898BA.05CF202E"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.3138
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
> X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 4/7/2008 8:50:18 AM
> X-invURIBL-Weight: 0
> X-invURIBL-Range: CLEAN
> X-RBL-Warning: SPAMCOP: "Blocked - see
> http://www.spamcop.net/bl.shtml?200.88.75.224";
> X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail.
> X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line
59,
> weight 3)
> X-Declude-RefID:
> X-Note: 
> X-Note: Spam Score: [11]
> X-Note: Scan Time: 08:50:19 on 07 Apr 2008
> X-Note: Spool File: 35052863.eml
> X-Note: Server Name: 224samana75.codetel.net.do
> X-Note: SMTP Sender: [EMAIL PROTECTED]
> X-Note: Reverse DNS & IP: 224samana75.codetel.net.do [200.88.75.224]
> X-Note: Recipient(s): [EMAIL PROTECTED]
> X-Note: Country Chain: DOMINICAN REPUBLIC->destination
> X-Note: Failed Weights: SPAMCOP [7], SPFUNKNOWN [1], Filter_Country [3],
> WEIGHT10 [10]
> X-Note: 
> 
> 
> 
> Where it says my.server.com and my.address.com is where I edited info I
> didn't want posted to the list.
> 
> 
> Here is the Declude log entries from when the email was scanned:
> 
> 
> 04/07/2008 08:50:03.527 35052863.eml CFG: Bypassing IP 127.0.0.1.
> 04/07/2008 08:50:03.527 35052863.eml CFG: Set hop to 0.
> 04/07/2008 08:50:03.527 35052863.eml STOPPROCESSINGONFIRSTDELETE: Set to
> ON
> 
> 
> 04/07/2008 08:50:10.746 35052863 Last line of headers checking for
Recived:
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
> 04/07/2008 08:50:10.746 35052863 About to run spam tests
> 
> 04/07/2008 08:50:18.980 35052863 JunkMailBase64 Start
> 04/07/2008 08:50:18.980 35052863 JunkMailBase64 Start
> 04/07/2008 08:50:18.980 35052863 DeHTML End: 495:367 ratio=0.425754
> 04/07/2008 08:50:19.011 35052863 Doing filter file
> D:\Apps\smartermail\Declude\CustomFilte

RE: [Declude.JunkMail] Filters not triggering

[Dave Beckstrom]

Darrell,

Thanks.  I removed all spaces and now have only tabs.  We'll see if that
does the trick!

I also implemented David's suggestion for using the regular expression.  I
like elegant solutions!

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darrell
> ([EMAIL PROTECTED])
> Sent: Monday, April 07, 2008 3:40 PM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Filters not triggering
> 
> Dave,
> 
>  From my experience I have had number of problems with spaces that would
> cause my filter files not to trigger.  I have since stopped using spaces
> and started using tabs like below and it has stopped any of the issues I
> had in the past.
> 
> SUBJECT0CONTAINScoupon
> 
> Darrell
> --
> Check out http://www.invariantsystems.com for utilities for Declude,
> Imail, mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring,
> SURBL/URI integration, MRTG Integration, and Log Parsers.
> 
> 
> Dave Beckstrom wrote:
> > Hi Darrell,
> >
> > Yes, there are spaces and/or tabs between the "contains" and the data
that I
> > want to filter on.  I was under the understanding that those were
ignored?
> >
> > Dave
> >
> >> -Original Message-
> >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > Darrell
> >> ([EMAIL PROTECTED])
> >> Sent: Monday, April 07, 2008 2:42 PM
> >> To: declude.junkmail@declude.com
> >> Subject: Re: [Declude.JunkMail] Filters not triggering
> >>
> >> Dave,
> >>
> >> I noticed with the relevant lines from the filter posted below some of
> >> the lines were indented more than the one line.  Is it possible you
have
> >> extraneous whitespaces between contains and the text you want to filter
> > on?
> >> Dsrrell
> >> --
> >> Check out http://www.invariantsystems.com for utilities for Declude,
> >> Imail, mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring,
> >> SURBL/URI integration, MRTG Integration, and Log Parsers.
> >>
> >>
> >> Dave Beckstrom wrote:
> >>> Hi Everyone.
> >>>
> >>> I have a filter set up to delete an email if the subject line contains
> > the
> >>> keyword in the filter.  For some odd reason, the filter is not
> > triggering
> >>> and it really has me baffled.  I could use some suggestions on this
one.
> >>>
> >>> The filter is called:   Filter_Subject_delete.txt
> >>>
> >>> Here are the relevant lines from the filter:
> >>>
> >>>
> >>> SUBJECT   0   containsdiscount. Code
> >>> SUBJECT   0   containsdiscount.Code
> >>> SUBJECT   0   containsdiscount. coupon
> >>> SUBJECT   0   contains discount. Coupon
> >>> SUBJECT   0   containsdiscount.coupon
> >>> SUBJECT   0   containsdiscount.Coupon
> >>> SUBJECT   0   containsoff .code
> >>>
> >>> As you can see, I added some filter lines to test to see if I was
> > running
> >>> into an issue with the filter not triggering due to case sensitivity.
I
> >>> didn't think the filters were case sensitive, but in trying to debug
> > this
> >>> problem I checked to see if that was an issue or not.
> >>>
> >>>
> >>> My junkmail config has the following specifying to delete the spam:
> >>>
> >>> Filter_Subject_Delete DELETE
> >>>
> >>>
> >>>
> >>>
> >>> Here are the headers from the spam that was not deleted:
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Return-Path: <[EMAIL PROTECTED]> Mon Apr 07 08:49:57 2008
> >>> Received: from 224samana75.codetel.net.do [200.88.75.224] by
> > my.server.com
> >>> with SMTP;
> >>>Mon, 7 Apr 2008 08:49:57 -0500
> >>> Message-ID: <[EMAIL PROTECTED]>
> >>> From: "brit luc" <[EMAIL PROTECTED]>
> >>> To: <[EMAIL PROTECTED]>
> >>> Subject: [SPAM]- Score (11)81% discount. Coupon #2IJk
> >>> Date: Mon, 07 Apr 2008 12:34:28 +
> >>> MIME-Version: 1.0
> >>> Content-Type: multipart/alternative;
> >>>   boundary="=_NextPart_000_0007_01C898BA.05CF202E"
> >>

RE: [Declude.JunkMail] Filters not triggering

[Dave Beckstrom]

Hi Darrell,

Yes, there are spaces and/or tabs between the "contains" and the data that I
want to filter on.  I was under the understanding that those were ignored?

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darrell
> ([EMAIL PROTECTED])
> Sent: Monday, April 07, 2008 2:42 PM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Filters not triggering
> 
> Dave,
> 
> I noticed with the relevant lines from the filter posted below some of
> the lines were indented more than the one line.  Is it possible you have
> extraneous whitespaces between contains and the text you want to filter
on?
> 
> Dsrrell
> --
> Check out http://www.invariantsystems.com for utilities for Declude,
> Imail, mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring,
> SURBL/URI integration, MRTG Integration, and Log Parsers.
> 
> 
> Dave Beckstrom wrote:
> > Hi Everyone.
> >
> > I have a filter set up to delete an email if the subject line contains
the
> > keyword in the filter.  For some odd reason, the filter is not
triggering
> > and it really has me baffled.  I could use some suggestions on this one.
> >
> > The filter is called:   Filter_Subject_delete.txt
> >
> > Here are the relevant lines from the filter:
> >
> >
> > SUBJECT   0 containsdiscount. Code
> > SUBJECT   0 containsdiscount.Code
> > SUBJECT   0 containsdiscount. coupon
> > SUBJECT   0 contains discount. Coupon
> > SUBJECT   0 containsdiscount.coupon
> > SUBJECT   0 containsdiscount.Coupon
> > SUBJECT   0 containsoff .code
> >
> > As you can see, I added some filter lines to test to see if I was
running
> > into an issue with the filter not triggering due to case sensitivity.  I
> > didn't think the filters were case sensitive, but in trying to debug
this
> > problem I checked to see if that was an issue or not.
> >
> >
> > My junkmail config has the following specifying to delete the spam:
> >
> > Filter_Subject_Delete   DELETE
> >
> >
> >
> >
> > Here are the headers from the spam that was not deleted:
> >
> >
> >
> >
> >
> > Return-Path: <[EMAIL PROTECTED]> Mon Apr 07 08:49:57 2008
> > Received: from 224samana75.codetel.net.do [200.88.75.224] by
my.server.com
> > with SMTP;
> >Mon, 7 Apr 2008 08:49:57 -0500
> > Message-ID: <[EMAIL PROTECTED]>
> > From: "brit luc" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Subject: [SPAM]- Score (11)81% discount. Coupon #2IJk
> > Date: Mon, 07 Apr 2008 12:34:28 +
> > MIME-Version: 1.0
> > Content-Type: multipart/alternative;
> > boundary="=_NextPart_000_0007_01C898BA.05CF202E"
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Mailer: Microsoft Outlook Express 6.00.2900.3138
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
> > X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 4/7/2008 8:50:18 AM
> > X-invURIBL-Weight: 0
> > X-invURIBL-Range: CLEAN
> > X-RBL-Warning: SPAMCOP: "Blocked - see
> > http://www.spamcop.net/bl.shtml?200.88.75.224";
> > X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail.
> > X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line
59,
> > weight 3)
> > X-Declude-RefID:
> > X-Note: 
> > X-Note: Spam Score: [11]
> > X-Note: Scan Time: 08:50:19 on 07 Apr 2008
> > X-Note: Spool File: 35052863.eml
> > X-Note: Server Name: 224samana75.codetel.net.do
> > X-Note: SMTP Sender: [EMAIL PROTECTED]
> > X-Note: Reverse DNS & IP: 224samana75.codetel.net.do [200.88.75.224]
> > X-Note: Recipient(s): [EMAIL PROTECTED]
> > X-Note: Country Chain: DOMINICAN REPUBLIC->destination
> > X-Note: Failed Weights: SPAMCOP [7], SPFUNKNOWN [1], Filter_Country [3],
> > WEIGHT10 [10]
> > X-Note: 
> >
> >
> >
> > Where it says my.server.com and my.address.com is where I edited info I
> > didn't want posted to the list.
> >
> >
> > Here is the Declude log entries from when the email was scanned:
> >
> >
> > 04/07/2008 08:50:03.527 35052863.eml CFG: Bypassing IP 127.0.0.1.
> > 04/07/2008 08:50:03.527 35052863.eml CFG: Set hop to 0.
> > 04/07/2008 08:50:03.527 35052863.eml STOPPROCESSINGONFIRSTDELETE: Set
>

[Declude.JunkMail] Filters not triggering

[Dave Beckstrom]

Hi Everyone.

I have a filter set up to delete an email if the subject line contains the
keyword in the filter.  For some odd reason, the filter is not triggering
and it really has me baffled.  I could use some suggestions on this one.

The filter is called:   Filter_Subject_delete.txt

Here are the relevant lines from the filter:


SUBJECT   0 containsdiscount. Code
SUBJECT   0 containsdiscount.Code
SUBJECT   0 containsdiscount. coupon
SUBJECT   0 contains discount. Coupon
SUBJECT   0 containsdiscount.coupon
SUBJECT   0 containsdiscount.Coupon
SUBJECT   0 containsoff .code

As you can see, I added some filter lines to test to see if I was running
into an issue with the filter not triggering due to case sensitivity.  I
didn't think the filters were case sensitive, but in trying to debug this
problem I checked to see if that was an issue or not.


My junkmail config has the following specifying to delete the spam:

Filter_Subject_Delete   DELETE




Here are the headers from the spam that was not deleted:





Return-Path: <[EMAIL PROTECTED]> Mon Apr 07 08:49:57 2008
Received: from 224samana75.codetel.net.do [200.88.75.224] by my.server.com
with SMTP;
   Mon, 7 Apr 2008 08:49:57 -0500
Message-ID: <[EMAIL PROTECTED]>
From: "brit luc" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: [SPAM]- Score (11)81% discount. Coupon #2IJk
Date: Mon, 07 Apr 2008 12:34:28 +
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_NextPart_000_0007_01C898BA.05CF202E"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 4/7/2008 8:50:18 AM
X-invURIBL-Weight: 0
X-invURIBL-Range: CLEAN
X-RBL-Warning: SPAMCOP: "Blocked - see
http://www.spamcop.net/bl.shtml?200.88.75.224";
X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail.
X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 59,
weight 3)
X-Declude-RefID: 
X-Note: 
X-Note: Spam Score: [11]
X-Note: Scan Time: 08:50:19 on 07 Apr 2008
X-Note: Spool File: 35052863.eml
X-Note: Server Name: 224samana75.codetel.net.do
X-Note: SMTP Sender: [EMAIL PROTECTED]
X-Note: Reverse DNS & IP: 224samana75.codetel.net.do [200.88.75.224]
X-Note: Recipient(s): [EMAIL PROTECTED]
X-Note: Country Chain: DOMINICAN REPUBLIC->destination
X-Note: Failed Weights: SPAMCOP [7], SPFUNKNOWN [1], Filter_Country [3],
WEIGHT10 [10]
X-Note: 



Where it says my.server.com and my.address.com is where I edited info I
didn't want posted to the list.


Here is the Declude log entries from when the email was scanned:


04/07/2008 08:50:03.527 35052863.eml CFG: Bypassing IP 127.0.0.1.
04/07/2008 08:50:03.527 35052863.eml CFG: Set hop to 0.
04/07/2008 08:50:03.527 35052863.eml STOPPROCESSINGONFIRSTDELETE: Set to ON


04/07/2008 08:50:10.746 35052863 Last line of headers checking for Recived:
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
04/07/2008 08:50:10.746 35052863 About to run spam tests

04/07/2008 08:50:18.980 35052863 JunkMailBase64 Start
04/07/2008 08:50:18.980 35052863 JunkMailBase64 Start
04/07/2008 08:50:18.980 35052863 DeHTML End: 495:367 ratio=0.425754
04/07/2008 08:50:19.011 35052863 Doing filter file
D:\Apps\smartermail\Declude\CustomFilters\Filter_Subject_Delete.txt.
04/07/2008 08:50:19.011 35052863 Filter Filter_Subject_Delete: Not skipping
E-mail due to current weight of 11.
04/07/2008 08:50:19.011 35052863 SPAMCOP:7 SPFUNKNOWN:1 Filter_Country:3 .
Total weight = 11.


I edited some of the log text, but the above is the relevant stuff.  We're
running declude 4.3.46 on Smartermail 3.

Any ideas on why that filter is not triggering?

Thanks,

Dave




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] OT: Yahoo Blocking Email

[Dave Beckstrom]

Hi Matt,


Thanks.  That was the form I submitted several weeks ago.  It didn't get me
anywhere.  It sure is frustrating!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Monday, February 25, 2008 11:27 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] OT: Yahoo Blocking Email

 

That's not the correct page, that page is primarily for bulk E-mail senders
so that they can keep their lists clean.

Use this page instead.  At the bottom is a link to the form that starts the
process:

http://help.yahoo.com/l/us/yahoo/mail/postmaster/basics-55.html

I would guess that it is going to be the "Yahoo! Mail Unblock Request Form".
This is the same form that I filled out previously for a client.

Matt



Robert Grosshandler wrote: 

http://help.yahoo.com/l/us/yahoo/mail/postmaster/
 
Third bullet down.  
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Thursday, February 21, 2008 12:59 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email
 
Rob,
 
We are using domain keys and reverse DNS as well as SPF records.  Do you
have a link to where I would request the whitelisting?
 
Dave
 
  

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert
Grosshandler
Sent: Thursday, February 21, 2008 12:21 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email
 
More.  Yahoo has whitelisting, and really cares about reverse DNS pointers
and Domain Keys.  You might want to resubmit, they were fast for us way


back
  

when.
 
Rob
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of


Colbeck,
  

Andrew
Sent: Thursday, February 21, 2008 12:01 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email
 
And as a further best practice to what Matt is advising, I'll mention
that ideally you want to send all outbound mail from an IP that is
different from your inbound gateways. And that your outbound bulk mail
would be separate from both.
 
 
Andrew.
 
 
 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Matt
Sent: Thursday, February 21, 2008 9:41 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] OT: Yahoo Blocking Email
 
 
I did this once about a year and a half ago for a client and they
responded fairly quickly, but the full process took about a
month before
they whitelisted it.
 
If you are bulk mailing from your hosted mail server, you
need to stop.
Never send bulk E-mail from a hosted mail server, and it is
also good to
use a different domain for bulk mailing.  I'm not saying that is the
case here, but bulk mailing can trip Yahoo.
 
In the mean time, you might want to see if you can just
switch your IP
address to see if that will work.
 
Matt
 
 
 
Dave Beckstrom wrote:
  

Hi All,
 
Has anyone figured out how to stop Yahoo from blocking


email?  They've
  

blocked all email from our servers for about 3 weeks.  I've


submitted their
  

forms but it hasn't done any good.
 
Dave
 
 
 
 
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 
 
 


 
 
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 
 
  

 
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 
 
 
 
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


 
 
 
 
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 
 
 
 
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 
 
  

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from 

RE: [Declude.JunkMail] OT: Yahoo Blocking Email

[Dave Beckstrom]

Rob,

We are using domain keys and reverse DNS as well as SPF records.  Do you
have a link to where I would request the whitelisting?

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert
> Grosshandler
> Sent: Thursday, February 21, 2008 12:21 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email
> 
> More.  Yahoo has whitelisting, and really cares about reverse DNS pointers
> and Domain Keys.  You might want to resubmit, they were fast for us way
back
> when.
> 
> Rob
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck,
> Andrew
> Sent: Thursday, February 21, 2008 12:01 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email
> 
> And as a further best practice to what Matt is advising, I'll mention
> that ideally you want to send all outbound mail from an IP that is
> different from your inbound gateways. And that your outbound bulk mail
> would be separate from both.
> 
> 
> Andrew.
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> > Behalf Of Matt
> > Sent: Thursday, February 21, 2008 9:41 AM
> > To: declude.junkmail@declude.com
> > Subject: Re: [Declude.JunkMail] OT: Yahoo Blocking Email
> >
> >
> > I did this once about a year and a half ago for a client and they
> > responded fairly quickly, but the full process took about a
> > month before
> > they whitelisted it.
> >
> > If you are bulk mailing from your hosted mail server, you
> > need to stop.
> > Never send bulk E-mail from a hosted mail server, and it is
> > also good to
> > use a different domain for bulk mailing.  I'm not saying that is the
> > case here, but bulk mailing can trip Yahoo.
> >
> > In the mean time, you might want to see if you can just
> > switch your IP
> > address to see if that will work.
> >
> > Matt
> >
> >
> >
> > Dave Beckstrom wrote:
> > > Hi All,
> > >
> > > Has anyone figured out how to stop Yahoo from blocking
> > email?  They've
> > > blocked all email from our servers for about 3 weeks.  I've
> > submitted their
> > > forms but it hasn't done any good.
> > >
> > > Dave
> > >
> > >
> > >
> > >
> > > ---
> > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.JunkMail".  The archives can be found
> > > at http://www.mail-archive.com.
> > >
> > >
> > >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] OT: Yahoo Blocking Email

[Dave Beckstrom]

Hi All,

Has anyone figured out how to stop Yahoo from blocking email?  They've
blocked all email from our servers for about 3 weeks.  I've submitted their
forms but it hasn't done any good.

Dave




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Blackice Server Settings

[Dave Beckstrom]

Wow, I posted those instructions a long time ago.  I didn't know so many
people ended up running blackice!   

I have no plans to replace blackice until a server upgrade means it won't
run any more.  Hopefully that won't be for several years.


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard
> Smith (N.O.R.A.D.)
> Sent: Friday, January 04, 2008 12:59 PM
> To: declude.junkmail@declude.com
> Cc: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] Blackice Server Settings
> 
> ISS  no longer supports blackice  and it is no longer in production , what
> are users  replacing it with ?
> 
> 
> Howard Smith
> .
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> Beckstrom
> Sent: Wednesday, September 27, 2006 5:58 PM
> To: declude.junkmail@declude.com
> Cc: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] Blackice Server Settings
> 
> I've gotten some requests to post the information on how to use Blackice
> Server to block email harvesting attacks.  So here it is!
> 
> 
> Before you install Blackice Server you must turn Data Execution Prevention
> OFF on your server.  Blackice and DEP will not coexist.  On your server
> right click on "MY COMPUTER" then go to properties and then go to
advanced.
> Under performance, select the SETTINGS button and then click on the Data
> Execution Prevention tab.  If DEP is listed as enabled for anything,
remove
> it for the listed services.
> 
> Next, you can install Blackice.
> 
> When you install Blackice server you should install it with the trusting
> mode enabled to allow all inbound traffic.  I believe it asks you what you
> want when you install Blackice.  I don't recall for sure if it does or not
> because it has been several years since I installed it.   If it doesn't
ask
> you the protection level that you want, after you install blackice you can
> go into the GUI and go to the firewall tab and under protection level you
> can select "trusting: allow all inbound traffic"
> 
> Blackice should run without causing you any trouble so you should have
time
> to complete the other configuration items.  The whole install and
> configuration only took me about 15 minutes.  I installed it on a
dedicated
> email server.  I don't have any experience with Blackice on a server
running
> other stuff besides email and webmail.
> 
> Also, you can always stop the Blackice service if you hit a problem.
> Blackice does its thing by watching traffic across the network card.  If
you
> stop Blackice then its effectively as if Blackice isn't installed on the
> server.  When the service is stopped Blackice is gone and all is back as
it
> was before.
> 
> Attached is the issuelist.csv file which comes with Blackice server.
> Blackice uses this file as a database of different types of attacks.  Line
> 227 had to be modified to indicate an action of IP|RST.  The IP|RST tells
> Blackice to block the IP of the attacker as the action to take.  Ignore
the
> comments to the far right of line 227.  The comments say to block the
> attacker if they attempt to send email to 10 non-existent email addresses
> within 120 seconds.  The QTY/Timeframe is actually specified elsewhere.
All
> you need to change in this file is to add IP|RST to line 227.  The
attached
> file already has the change.  It is from the most current version if
> Blackice so if you just bought Blackice you can move the attached file
into
> the Blackice directory and you're good to go.
> 
> Next, in the Blackice GUI you'll want to go to the firewall tab and put a
> checkmark in front of "Enable Auto Blocking"The GUI updates the
> firewall.ini file to tell Blackice that auto-blocking is enabled.  The
line
> in my firewall.ini is the following:
> 
> auto-blocking = enabled, 2000, BIgui
> 
> Next, go to the blackice.ini file and manually edit it to add the
following
> 4 lines:
> 
> 
> smtp.error.count=6
> smtp.error.interval=30
> pam.smtp.error.count=6
> pam.error.interval=30
> 
> 
> The above settings in blackice.ini tells Blackice that if it detects an
> attempt to send to 6 non-existent email addresses within 30 seconds then
it
> should activate the Email_Error action in line 227 of issuelist.csv.  We
set
> the action to be IP|RST (in issuelist.csv) which specifies that the IP
> should be blocked.  So if the QTY/Timeframe is met, the IP is blocked.
The
> block of the IP will automatically go away after a specified time.  This
is
> good because an IP is never permanently blocked forever.
> 
> I believe the IP is removed from the blocklist after 24 hours.  I ha

RE: [Declude.JunkMail] Interesting Spam

[Dave Beckstrom]

Found out that invURIBL wasn't working correctly on my server.  It was
finding the wrong IP address for the DNS server.  Once I fixed that, all of
those spams suddenly ceased from being delivered to our inboxes!  *grin  

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
> Sent: Thursday, September 06, 2007 6:58 PM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Interesting Spam
> 
> I use a command line tool from www.whoisview.com that works well for both
> domains and IP blocks.
> 
> Occasionally I run into a domain that doesn't resolve, but when that
happens
> I also have trouble from registrar sites like netsol and godaddy.
> www.freewho.com generally works well, though.
> 
> Darin.
> 
> 
> - Original Message -
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, September 06, 2007 7:40 PM
> Subject: RE: [Declude.JunkMail] Interesting Spam
> 
> 
> Well, the easy part is answering your question about the domains.
> 
> Each of the payload domains was registered today, so whatever service
> you're using to look up the registrations is probably using a database
> at least a day behind.
> 
> I use (for example) this site to my satisfaction:
> 
> http://whois.domaintools.com/sdsdm.com
> 
> 
> 
> Andrew.
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> > Behalf Of Dave Beckstrom
> > Sent: Thursday, September 06, 2007 3:07 PM
> > To: declude.junkmail@declude.com
> > Subject: [Declude.JunkMail] Interesting Spam
> >
> > We're getting a rash of spam that doesn't score high enough
> > to be blocked.
> > In the past I've looked up the domain owner of the site
> > listed in the spam
> > and been able to identify sometimes dozens of domains owned
> > by the spammer,
> > then I've put that list into a filter and blocked the domains
> > before they
> > were all used in new spam sent to us.
> >
> > I did a whois on some of the domains and they all show as
> > available and
> > unregistered.  Yet when I go to the domain, it does take me
> > to the spammers
> > site.  How can these domains be functional and show as available to be
> > registered at the same time?
> >
> > Below is a paste of one of the spams.  I added 3 additional
> > domains that
> > have appeared in this same asshole's spam so that you can see
> > the pattern of
> > domains he is using.
> >
> > How do I block these?
> >
> > Dave
> >
> >
> >
> > X-Note: 
> > X-Note: Spam Score: [18]
> > X-Note: Scan Time: 16:47:18 on 06 Sep 2007
> > X-Note: Spool File: 35111367.eml
> > X-Note: Server Name: dsl88-233-31730.ttnet.net.tr
> > X-Note: SMTP Sender: [EMAIL PROTECTED]
> > X-Note: Reverse DNS & IP: dsl88-233-31730.ttnet.net.tr
> > [88.233.123.242]
> > X-Note: Country Chain: TURKEY->destination
> > X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5],
> > SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14]
> > X-Note: 
> >
> >
> > -Original Message-
> > From: Tam Genois [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, September 06, 2007 1:15 PM
> > Subject: [SPAM]- Score (12)tuile
> >
> > How it is going Genois
> > Do you want to have an average to small penis all of your
> > life? No, you
> > don't
> >
> > dae Hays
> > http://soltepec.com/
> > http://selenan.com/
> > http://www.seriia.com/
> > http://www.sdsdm.com/
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting Spam

[Dave Beckstrom]

I used www.betterwhois.com and the whois service at www.netsol.com and
neither showed the domains had been registered.   Guess I'll have to try
your site.  Thanks!

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck,
> Andrew
> Sent: Thursday, September 06, 2007 6:41 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting Spam
> 
> Well, the easy part is answering your question about the domains.
> 
> Each of the payload domains was registered today, so whatever service
> you're using to look up the registrations is probably using a database
> at least a day behind.
> 
> I use (for example) this site to my satisfaction:
> 
> http://whois.domaintools.com/sdsdm.com
> 
> 
> 
> Andrew.
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> > Behalf Of Dave Beckstrom
> > Sent: Thursday, September 06, 2007 3:07 PM
> > To: declude.junkmail@declude.com
> > Subject: [Declude.JunkMail] Interesting Spam
> >
> > We're getting a rash of spam that doesn't score high enough
> > to be blocked.
> > In the past I've looked up the domain owner of the site
> > listed in the spam
> > and been able to identify sometimes dozens of domains owned
> > by the spammer,
> > then I've put that list into a filter and blocked the domains
> > before they
> > were all used in new spam sent to us.
> >
> > I did a whois on some of the domains and they all show as
> > available and
> > unregistered.  Yet when I go to the domain, it does take me
> > to the spammers
> > site.  How can these domains be functional and show as available to be
> > registered at the same time?
> >
> > Below is a paste of one of the spams.  I added 3 additional
> > domains that
> > have appeared in this same asshole's spam so that you can see
> > the pattern of
> > domains he is using.
> >
> > How do I block these?
> >
> > Dave
> >
> >
> >
> > X-Note: 
> > X-Note: Spam Score: [18]
> > X-Note: Scan Time: 16:47:18 on 06 Sep 2007
> > X-Note: Spool File: 35111367.eml
> > X-Note: Server Name: dsl88-233-31730.ttnet.net.tr
> > X-Note: SMTP Sender: [EMAIL PROTECTED]
> > X-Note: Reverse DNS & IP: dsl88-233-31730.ttnet.net.tr
> > [88.233.123.242]
> > X-Note: Country Chain: TURKEY->destination
> > X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5],
> > SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14]
> > X-Note: 
> >
> >
> > -Original Message-
> > From: Tam Genois [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, September 06, 2007 1:15 PM
> > Subject: [SPAM]- Score (12)tuile
> >
> > How it is going Genois
> > Do you want to have an average to small penis all of your
> > life? No, you
> > don't
> >
> > dae Hays
> > http://soltepec.com/
> > http://selenan.com/
> > http://www.seriia.com/
> > http://www.sdsdm.com/
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting Spam

[Dave Beckstrom]

We're getting a rash of spam that doesn't score high enough to be blocked.
In the past I've looked up the domain owner of the site listed in the spam
and been able to identify sometimes dozens of domains owned by the spammer,
then I've put that list into a filter and blocked the domains before they
were all used in new spam sent to us.

I did a whois on some of the domains and they all show as available and
unregistered.  Yet when I go to the domain, it does take me to the spammers
site.  How can these domains be functional and show as available to be
registered at the same time?

Below is a paste of one of the spams.  I added 3 additional domains that
have appeared in this same asshole's spam so that you can see the pattern of
domains he is using. 

How do I block these?

Dave



X-Note: 
X-Note: Spam Score: [18]
X-Note: Scan Time: 16:47:18 on 06 Sep 2007
X-Note: Spool File: 35111367.eml
X-Note: Server Name: dsl88-233-31730.ttnet.net.tr
X-Note: SMTP Sender: [EMAIL PROTECTED]
X-Note: Reverse DNS & IP: dsl88-233-31730.ttnet.net.tr [88.233.123.242]
X-Note: Country Chain: TURKEY->destination
X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5],
SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14]
X-Note: 


-Original Message-
From: Tam Genois [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 06, 2007 1:15 PM
Subject: [SPAM]- Score (12)tuile

How it is going Genois
Do you want to have an average to small penis all of your life? No, you
don't

dae Hays
http://soltepec.com/
http://selenan.com/
http://www.seriia.com/
http://www.sdsdm.com/





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New PDF worm?

[Dave Beckstrom]

No, didn't trigger at all.

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 9:33 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Did it trigger at all?

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 9:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

It didn't work.

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Thanks David.  We'll (ok, I'll) give it a whirl!

 

Todd

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Ok this should hold it over till I can look at it some more tomorrow.

 

David

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

This is not an easy one I will see what I can get done before I leave today.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

David,

 

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

 

Thanks,


Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail

RE: [Declude.JunkMail] New PDF worm?

[Dave Beckstrom]

It didn't work.

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Tuesday, August 07, 2007 6:39 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Thanks David.  We'll (ok, I'll) give it a whirl!

 

Todd

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

Ok this should hold it over till I can look at it some more tomorrow.

 

David

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

This is not an easy one I will see what I can get done before I leave today.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

David,

 

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

 

Thanks,


Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL P

RE: [Declude.JunkMail] New PDF worm?

[Dave Beckstrom]

Thanks.  I'll give it a try.

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:23 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Ok this should hold it over till I can look at it some more tomorrow.

 

David

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 6:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

This is not an easy one I will see what I can get done before I leave today.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 5:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

David,

 

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

 

Thanks,


Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscri

RE: [Declude.JunkMail] New PDF worm?

[Dave Beckstrom]

David,

 

I just sent you a bunch of samples.  If you can update the filter before you
knock off for the day I'd appreciate it.  We've probably had 50 of them get
through already today.

 

Thanks,


Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, August 07, 2007 4:03 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

>From reports today looks like the filter needs to be updated. Can you send
me some examples as attachments.

 

David B

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Tuesday, August 07, 2007 3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New PDF worm?

[Dave Beckstrom]

I installed the filter below and we've had about 50 PDFs that came through
today.  Does the filter need to be revised or is there some other method I
should be looking into using?


Thanks!

 

Dave

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 02, 2007 12:35 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your
weights accordingly. Also ensure you are running Declude 4.3.46

 

BODY 3  PCRE
(JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo)

BODY 5  PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+:
[^\r]+\r\n)*Content-Type: application/pdf;)

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie
LaSalle-Lowery
Sent: Monday, July 02, 2007 1:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] New PDF worm?

 

We've been suffering .pdf spam getting through the filter.  What settings
are you using that's identifying these as spam?

We're seeing an overall increase in spam getting through the filter the last
few weeks...

 

Thanks, 

Katie

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SJ.Stanaitis
Sent: Wednesday, June 27, 2007 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] New PDF worm?

I'm getting gobs of PDF's snagged in my antispam filter, they're not
triggering any AV yet, anyone else seeing this?

 

SJ.Stanaitis - Network Administrator

Decorative Product Source, Inc.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Increase?

[Dave Beckstrom]

Sorry guys...I've not been able to stay on top of discussions here for a few
weeks and I'm sure I missed discussion about how you're catching the PDF
spam.  Does someone have a filter they are using for PDF spam that they
could post for me?

Thanks,

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
> Sent: Friday, August 03, 2007 10:25 PM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Spam Increase?
> 
> I think we started seeing it last Saturday... pretty constant since then.
> Fortunately it's almost entirely being caught so our customers are not
> seeing it.
> 
> Darin.
> 
> 
> - Original Message -
> From: "John T (lists)" <[EMAIL PROTECTED]>
> To: 
> Sent: Friday, August 03, 2007 6:19 PM
> Subject: RE: [Declude.JunkMail] Spam Increase?
> 
> 
> I actually saw it ramping up since last weekend and every day there have
> been a change or 2 in the spam to keep it from being caught.
> 
> John T
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > Todd Richards
> > Sent: Friday, August 03, 2007 2:35 PM
> > To: declude.junkmail@declude.com
> > Subject: [Declude.JunkMail] Spam Increase?
> >
> > Anyone else noticing an increase in spam today?  It seems like stuff
> > that
> > was normally being caught before is showing up in my Inbox.
> >
> > Todd
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] OT: Yahoo Email Problems

[Dave Beckstrom]

Sorry about the off-topic post.  This is the only email server software
related list that I am on.  

I tried to send a couple of email to a Yahoo group and received this message
back:

Reason: Remote host said: 451 qq unable to read configuration (#4.3.0)

Is that a problem with Yahoo or are they blocking email from me?  It looks
to me like a problem with Yahoo, but I thought I'd run in by you to see what
you thought.

Thanks,

Dave




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Image spam

[Dave Beckstrom]

 

I'm confused.  I understood that if you host multiple email domains on a
mail server that you're considered a hosting company and can't purchase
commtouch?  At least I vaguely recall something to that affect.  I checked
Declude's site and I don't see commtouch listed on there anywhere (it used
to be) other than under "technology partners."

 

Obviously, I'm missing something.  So what is the scoop?  

 

I need an image spam solution.  I followed this discussion, but I didn't see
much talk about what people are actually using that currently works well for
them.  

 

I would most appreciate it if you would share your method for dealing with
image spam.

 

We have on particular spam that comes through multiple times every day.  Its
getting tiring.  There isn't enough other things wrong with the message to
block it.

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 1:04 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

 

Thank you I will check these out.

 

Kelly

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, February 21, 2007 12:08 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

Declude and Image based spam - 4 methods

1. COMMTOUCH

Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to
exact-match recurrent patterns across similar but not-identical messages.
However in the case of images, the minute the spammer makes even the
smallest changes to an image, the image-encoded data appears completely
different. Commtouch identified this trend in the earliest days of
image-based spam, and made the necessary enhancements to its detection
engine in order to defend against this new threat with a sophisticated
protection shield. Commtouch invested significant resources into developing
a method for decoding the images and then sampling them using the proven RPD
approach. The result is a significantly improved spam detection rate, while
maintaining the same low false-positive rate.

2. CLAMWIN

Using ClamAV as a virus scanner with Declude you can download the
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which
contains signatures created from images contained within spam emails.
http://www.msrbl.com/site/msrblimagesdownload

3. FILTER-CID

Identifies emails which contains images increasing the weight suffeciently
on spam messages to reach the spam threshold.

#EXCEPTIONS
BODYENDNOTCONTAINScid:
BODYENDNOTCONTAINSContent-Type: image/

#IMAGES
BODY3CONTAINSsrc=3D"cid:
BODY3CONTAINSsrc="cid:
BODY3CONTAINSsrc='cid:

BODY3CONTAINSimg src="cid:
BODY3CONTAINSimg src=3Dcid:

BODY3CONTAINS/cid:

#IMAGE TYPES
BODY2CONTAINSContent-Type: image/gif;
BODY2CONTAINSContent-Type: image/jpeg;

4. VAMSOFT IMAGE SPAM AGENT

This tool is an External Agent for ORF 2.1 and newer versions that improves
ORF by image spam detection capabilities, but can be used by Declude.
http://www.vamsoft.com/vsimagespam/vsimagespam.zip

VSIMAGE   externalnonzero"[path]\Declude\VSIMAGE\imgspamagent.exe
-check" 40

 

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 11:47 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Image spam

Has there been a declude filter created for blocking or identifying image
spam? If so can somebody post it for me to try.

 

Thank You,

Kelly

 

 

 

 

 

 

 

 

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

image001.gif
Description: GIF image

RE: [Declude.JunkMail] Need help - mail server sending out stock reports email - process found "ssm"

[Dave Beckstrom]

Our black ice display has been showing:

 

"[Suspicious Activity] This signature detects PE/COFF executable files that
have been packed using the UPX tool.  While the presence of a UPX packed
executable does not in itself represent an attack, it can be considered an
anomaly.  The UPX tool is commonly used to pack trojans and malware, while
it is somewhat uncommon for the tool to be used to distribute legitimate"

 

 

We started seeing hundreds of these being caught by blackice server,
starting about a week ago.  

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard
Smith (N.O.R.A.D.)
Sent: Wednesday, February 07, 2007 6:14 PM
To: declude.junkmail@declude.com
Cc: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Need help - mail server sending out stock
reports email - process found "ssm"

 

Hello  All   

 

Justin Moose , hit it on the  nail it was an worm process "ssm" ,  for  info
it bypass imail completely thus it was nor in any logs , so  declude could
not help . We do not  know how it got there,  but it show up on 1/28/7 then
when dormant until 2/5/7 .

Please explain how  blackice will help and has anyone ever used winshark by
advances inc .

 

 

 

Howard Smith

N.O.R.A.D. Inc.

P.O. Box 680116

Miami, Florida 33168  

www.norad.com   

[EMAIL PROTECTED]

Office - (305) NETWORK (638-9675)

Sales - (786) 206-0045

Fax 1 - (305) 359-5144

 



Confidentiality Notice: This email message, including any Attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact  [EMAIL PROTECTED] by email and destroy all copies of the original
message. 

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin
Moose
Sent: Wednesday, February 07, 2007 6:11 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Need hep - mail server sending out stock
reports email

 

I called Howard on this, but for everyone else's info, if you are seeing
this, look for ssm.exe to be a running process.  I found this on an Imail
server that I administer for another company this morning.  The file was
showing processing time in the task manager and showed up on the Services
list at Security Systems Manager, but the file had a modified date of 2/5/07
and no updated had been done on that server for over a week. Stopping this
service stopped the junk messages from going out.

 

Neither F-prot or Symantec showed this file as a virus; however I did submit
it to Symantec for analysis.

 

Justin Moose
Information Technology Manager
Sioux Valley Energy
DID: (605) 256-1644
Fax: (605) 256-1690
Toll Free: (800) 234 1960

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard
Smith (N.O.R.A.D.)
Sent: Wednesday, February 07, 2007 4:24 PM
To: declude.junkmail@declude.com
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Need hep - mail server sending out stock reports
email

 

Running  imail  8.15,sniffer and declude  - starting  on 2/6/7 my mail
server start sending out the stock reports email , even when I stop the
imail smtp process , nothing is in the Imail logs indicating problems . I
have ran full scans with frprot  and Symantec .

 

Need help please  , I have already made the spamcop blacklist

 

 

Howard Smith

N.O.R.A.D. Inc.

P.O. Box 680116

Miami, Florida 33168  

www.norad.com   

[EMAIL PROTECTED]

Office - (305) NETWORK (638-9675)

Sales - (786) 206-0045

Fax 1 - (305) 359-5144

 



Confidentiality Notice: This email message, including any Attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact  [EMAIL PROTECTED] by email and destroy all copies of the original
message. 

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

image001.gif
Desc

RE: [Declude.JunkMail] SmarterMail 4.0 is released

[Dave Beckstrom]

> 
> SmarterTools just released the next major version of SmarterMail.  It has
been
> rewritten in ASP.NET 2.0 from which they claim across the board
performance
> improvements.  Major new features include greylisting and built-in ClamAV,
as well as
> better features for use as a gateway.  For a list of new features see
> http://www.smartertools.com/Products/SmarterMail/WhyUpgrade.aspx
> 
> 


The release notes say nothing about implementing enhancement requests to the
list server.  You may recall we discussed the problem here regarding AOL
stripping off contact information for people who report email to AOL as
spam.  Every message sent to my listserv discussion list results in TOS
violations from AOL.   I cannot identify who reported the email as spam and
remove them from the listserv.  

Then AOL blocks us from sending any email to anyone on AOL for about 24
hours.  What a great position for a business to be in, eh?

I spoke (again) to Grady, the smartermail product manager, about this issue
about 6 months ago.To say that I am frustrated and disappointed, that no
mention is made anywhere in the version release notes of changes made to the
listserv, is an understatement.

I have been talking to them about this issue for well over 2 years.

I'm rather pissed off.

 




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Image Spam

[Dave Beckstrom]

Sniffer tags some of the image spam we receive but much of it doesn't score
high enough for a hold weight. 

Is Declude or anyone else working on anything new that will be more
effective at catching image spam?  We're not eligible for Interceptor
because we host email for some other companies.

What options are available?




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] OT: Yahoo delivery problems

[Dave Beckstrom]

Thank you all who replied to my inquiry about the Yahoo deliver problems!
Good to know I'm not on a blacklist.  This was the first we've encountered
problems with yahoo so we must have just hit it at a time they were having
problems.

Thanks again,

Dave

 





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] OT: Yahoo delivery problems

[Dave Beckstrom]

Hi Everyone,

This isn't a Declude question but with all of the expertise here I knew
someone could help.  Please forgive the off-topic message.

I'm receiving a bunch of deliver failures today for Yahoo.  The message is:

Failed Recipient: [EMAIL PROTECTED]
Reason: Remote host said: 451 Message temporarily deferred - [190]


I searched google and I searched Yahoo's site to see if I could find an
explanation of this message -- no joy.

I didn't know if it meant they are blocking our IP or if Yahoo was having
problems.  It sounded to me like they are blocking us.

I could not find anything on Yahoo's site about who to contact, what the
message means -- nothing.

Can someone shed some light on what may be going on?

Thanks,

Dave





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] RE: Declude's To-Do List

[Dave Beckstrom]

David,

You also need to add a new whitelist tag (whitelistunique?) that only
whitelists the "TO" recipient if it's the only recipient for the email.

This bit about whitelisting all recipients if one is whitelisted is a
problem.



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
> Barker
> Sent: Wednesday, October 25, 2006 1:24 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] RE: Declude's To-Do List
> 
> With reference to X-Declude-RefID: it is part of the *Zerohour test
doesn't
> operate as other tests issue.
> 
> David
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy
> Schmidt
> Sent: Wednesday, October 25, 2006 2:14 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] RE: Declude's To-Do List
> 
> Hi,
> 
> Thanks for posting! Openness is a great confidence builder! Seeing that
> problems are at least being recognized goes a long way to giving me some
> small flicker of hope that things at Declude might turn around yet.
> 
> Now your corporate management has to prove themselves by demonstrating
that
> they are finally serious about fulfilling the service contracts we
purchased
> by not allowing crucial problems to remain open for yet another year. They
> cannot keep holding out their hands each year, if the money is not spent
on
> the intended purpose. Fixing the Auto-Whitelist with a simple MDAC SQL
query
> against the Imail 2006 Workgroupshare database is no rocket science. It
> might take a day - but not a year.
> 
> PS:
> This is a minor issue and probably doesn't deserve to be on your list -
but
> I never got a reply on how to suppress the empty and unwanted
> 
>   X-Declude-RefID:
> 
> header.
> 
> Best Regards
> Andy Schmidt
> 
> Phone:  +1 201 934-3414 x20 (Business)
> Fax:+1 201 934-9206
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
> Barker
> Sent: Wednesday, October 25, 2006 10:36 AM
> To: declude.junkmail@declude.com
> Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation -
> Declude allows attachments and Virus to pass through untouched and
unscanned
> 
> Here is a preliminary list, not all have been verified and several are
> currently being worked on: (Note these does not include Declude adds for
new
> functionality) Email me if you are aware of a known issue that is not on
> this list.
> 
> *Line Terminator Problem
> 
> *Auto whitelist Imail 2006
> 
> *Reported Memory Leaks & Decludeproc crash on zero pointers
> 
> *Zerohour test doesn't operate as other tests
> 
> *Zip vulnerability
> 
> *Attach function bug (forward as attachment)
> 
> *When there is a MIME header mismatch Declude assumes it is an executable
> 
> *Incorrectly filtering Object Data Vulnerability for MSOffice generated
> emails
> 
> *Attached web pages seen as .com files
> 
> *Yahoo CAL emails have header problems which cause improper blocking
> 
> *Encoded attachments not correctly detected - long base64
> 
> *Prewhitelist is not skipping custom filters
> 
> *Whitelisting messages in lower Log levels
> 
> *SmarterMail order of Domains listed in xml for aliases
> 
> David Barker
> Director of Product Development
> Your Email security is our business
> 978.499.2933 office
> 978.988.1311 fax
> [EMAIL PROTECTED]
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
> Cox
> Sent: Monday, October 23, 2006 10:35 AM
> To: declude.junkmail@declude.com
> Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation -
> Declude allows attachments and Virus to pass through untouched and
unscanned
> 
> Thanks, David.  We appreciate your efforts.
> 
> Darin.
> 
> 
> - Original Message -
> From: "David Barker" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, October 23, 2006 10:26 AM
> Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation -
> Declude allows attachments and Virus to pass through untouched and
unscanned
> 
> 
> I will see what I can do to bring together a list of known issues. Just
give
> me some time (days) and I will get it posted.
> 
> David B
> www.declude.com
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
> Cox
> Sent: Monday, October 23, 2006 10:19 AM
> To: declude.junkmail@declude.com
> Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation -
> Declude allows attachments and Virus to pass through untouched and
unscanned
> 
> Thanks, David.  We appreciate your input.
> 
> Is it feasible to post a list of known issues and/or issues being worked?
I
> realize that's a lot of disclosure, and would probably increase call
volume
> significantly, but I also know that would make me feel much more
comfortable
> of someday being able to exercise our two-year-old unused SA, and upgrade
to
> 4.x.
> 
> Thanks again,
> 
> Darin.
> 
> 
> - Original Message -
> F

RE: [Declude.JunkMail] Whitelisting flaw in Declude?

[Dave Beckstrom]

A new tag (whitelistunique) which
only would whitelist if the email had a single recipient would solve the
problem and be much safer.

 

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew
Sent: Thursday, October 19, 2006
11:45 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail]
Whitelisting flaw in Declude?



 

Yeah, what Matt said.

 

Message splitting before junkmail
filtering would be punishing for CPU time and somewhat more for disk time;
message splitting for the sake of whitelisting (or alternate actions) after
junkmail filtering would be an incremental cost.

 

And message splitting before junkmail
filtering on a system that has a wildcard email address would be lethal for
that system.

 

Andrew.

 

 

p.s. In my corporate network, we email
each other a lot, and we see that Exchange "single instance storage"
of a message only saves us 20% of the disk space.  And that includes
single storage of a message in my Sent Items as well as in my neighbour's Inbox
and the next guy's Deleted Items.

 



 







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Matt
Sent: Wednesday, October 18, 2006
8:20 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail]
Whitelisting flaw in Declude?

I have some stats here that suggest otherwise. 
We only have 5% more recipients than messages that make it through our gateway,
and we only return permanent errors presently for mail bombing related
activities.  This however is a dedicated gateway and not a hosted mail
server, so stats from a hosted mail server would see a slightly higher rate
since most multiple-recipient E-mails are internal to a server.  If you
are splitting on a gateway and not splitting internal E-mail, you should see no
increase beyond my numbers.

It's a doable solution if one has the need.

Matt


Jay Sudowski - Handy Networks LLC wrote: 

Also, realize that on servers processing a large volume of messages perday, the additional IO necessary to create duplicate messages and headerfiles for each specific recipient would be a death sentence...  -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf OfDavid BarkerSent: Wednesday, October 18, 2006 9:30 AMTo: declude.junkmail@declude.comSubject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? To create a duplicate message for each recipient is not a trivial issue.This is a function of the mail server not Declude. David BarkerDirector of Product DevelopmentYour Email security is our business978.499.2933 office978.988.1311 fax[EMAIL PROTECTED]  -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf OfKevinBilbeeSent: Tuesday, October 17, 2006 5:08 PMTo: declude.junkmail@declude.comSubject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? Delcude has always functioned like this. What declude could do in this case is to duplicate the message for eachrecipient and write a new header file to each recipient. Not a bigissue.Deliver to the one that whitelists and run the spam checks for theothers.   Kevin Bilbee   

-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin CoxSent: Tuesday, October 17, 2006 12:37 PMTo: declude.junkmail@declude.comSubject: Re: [Declude.JunkMail] Whitelisting flaw in Declude? It's actually more of an issue of how the mail server handles the message.In the case of multiple recipients, since there is only one message file addressed to multiple recipients in the headers, it's either deliver or not deliver unless you rewrite the headers to modify the recipient list.  I think I'd rather not have the spam filtering system    

   

alter that.  Add to the header, yes.  Alter the recipients, no. Also, I have not come across a situation where I wanted to let a message go through to one recipient and not to others, except in the situation of lists which is a whole other topic. Darin.  - Original Message -From: "Dave Beckstrom" <[EMAIL PROTECTED]>To: Sent: Tuesday, October 17, 2006 3:11 PMSubject: RE: [Declude.JunkMail] Whitelisting flaw in Declude?  I would call that a flaw, then, in how Declude processes the    

whitelist.  

I have a listserver email address for which I do not want email spam checked.  This is because I don't want messages going out to the list that say SPAM in the subject line.  Because nobody who is not a member    

   

on the list can post to the list, there is no problem whitelisting the    

   

"TO"addressfor mail sent to the list server email address. However, spammers will send an email to a dozen of our mail addresses(12recipients) one of which is the whitelised "TO" address for the listserver.Because of the way Declude processes the whitelist, that means that the other 11 recipient receive the spam even though mail to them is not whitelisted. That is a bad desi

RE: [Declude.JunkMail] Whitelisting flaw in Declude? - David Barker

[Dave Beckstrom]

Darin,

We don't whitelist those addresses at all.  But I could see other companies
wanting to do so.  

This idea that if one address is whitelisted, then they all are, is not a
good situation.  It is good in that some folks might want Declude to process
that way, in which case the current whitelist will work for them.  Its not
good from the standpoint that there is no alternative mechanism.

If Declude has access to all of the envelope information, they should easily
be able to add a new tag that only whitelists an address if it's the only
address in the envelope.


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
> Sent: Wednesday, October 18, 2006 11:15 AM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude? - David
Barker
> 
> Hi Dave,
> 
> A comment on the whitelist to required monitoring addresses... We don't
> whitelist email to abuse@ or postmaster@ addresses.  Instead we have a
> user-specific Declude config that allows mail through to those addresses.
> So, we configure Declude to use this separate config for all postmaster
and
> abuse addresses for all domains.
> 
> That way we don't have a need to whitelist to these addresses, and we have
> fine-grained control over what we let through to them.
> 
> Darin.
> 
> 
> - Original Message -
> From: "Dave Beckstrom" <[EMAIL PROTECTED]>
> To: 
> Sent: Wednesday, October 18, 2006 12:06 PM
> Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? - David
Barker
> 
> 
> David,
> 
> I agree.
> 
> But I do think the whitelisting needs to be changed.  I think you should
add
> a WhitelistUnique tag.
> 
> EG:
> 
> WhitelistUnique TO: [EMAIL PROTECTED]
> 
> 
> The way the tag would function is that the email would only be treated as
> whitelisted if [EMAIL PROTECTED] was the only address in the "TO" field and if
the
> carbon copy field is also blank.  This insures that spammers can't stack
> multiple email addresses in the "TO" or "CC" fields, one address of which
is
> whitelisted, thus forcing the email to pass through Declude to ALL
> RECIPIENTS rather than just to the whitelisted recipient.
> 
> 
> Besides the listserver problem I described, I can see some places wanting
to
> whitelist email to [EMAIL PROTECTED] or [EMAIL PROTECTED]  Spammers who have
> figured out this gaping hole in Declude could easily force all email to a
> site to be whitelisted by simply sending email to [EMAIL PROTECTED] and
tagging
> a dozen other addresses onto the "TO" field.  Not good.
> 
> Is my suggestion something that you can implement?
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David
> > Barker
> > Sent: Wednesday, October 18, 2006 8:30 AM
> > To: declude.junkmail@declude.com
> > Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude?
> >
> > To create a duplicate message for each recipient is not a trivial issue.
> > This is a function of the mail server not Declude.
> >
> > David Barker
> > Director of Product Development
> > Your Email security is our business
> > 978.499.2933 office
> > 978.988.1311 fax
> > [EMAIL PROTECTED]
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Kevin
> > Bilbee
> > Sent: Tuesday, October 17, 2006 5:08 PM
> > To: declude.junkmail@declude.com
> > Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude?
> >
> > Delcude has always functioned like this.
> >
> > What declude could do in this case is to duplicate the message for each
> > recipient and write a new header file to each recipient. Not a big
issue.
> > Deliver to the one that whitelists and run the spam checks for the
others.
> >
> >
> >
> > Kevin Bilbee
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > > Darin Cox
> > > Sent: Tuesday, October 17, 2006 12:37 PM
> > > To: declude.junkmail@declude.com
> > > Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude?
> > >
> > > It's actually more of an issue of how the mail server handles the
> > > message.
> > > In the case of multiple recipients, since there is only one message
> > > file addressed to multiple recipients in the headers, it's either
> > > deliver or not deliver unless you rewrite the headers to modify the
> > > recipient list.  I think I&#x

RE: [Declude.JunkMail] Whitelisting flaw in Declude? - David Barker

[Dave Beckstrom]

David,

I agree. 

But I do think the whitelisting needs to be changed.  I think you should add
a WhitelistUnique tag.

EG:

WhitelistUnique TO: [EMAIL PROTECTED]


The way the tag would function is that the email would only be treated as
whitelisted if [EMAIL PROTECTED] was the only address in the "TO" field and if 
the
carbon copy field is also blank.  This insures that spammers can't stack
multiple email addresses in the "TO" or "CC" fields, one address of which is
whitelisted, thus forcing the email to pass through Declude to ALL
RECIPIENTS rather than just to the whitelisted recipient.  


Besides the listserver problem I described, I can see some places wanting to
whitelist email to [EMAIL PROTECTED] or [EMAIL PROTECTED]  Spammers who have
figured out this gaping hole in Declude could easily force all email to a
site to be whitelisted by simply sending email to [EMAIL PROTECTED] and tagging
a dozen other addresses onto the "TO" field.  Not good.

Is my suggestion something that you can implement?



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
> Barker
> Sent: Wednesday, October 18, 2006 8:30 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude?
> 
> To create a duplicate message for each recipient is not a trivial issue.
> This is a function of the mail server not Declude.
> 
> David Barker
> Director of Product Development
> Your Email security is our business
> 978.499.2933 office
> 978.988.1311 fax
> [EMAIL PROTECTED]
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
> Bilbee
> Sent: Tuesday, October 17, 2006 5:08 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude?
> 
> Delcude has always functioned like this.
> 
> What declude could do in this case is to duplicate the message for each
> recipient and write a new header file to each recipient. Not a big issue.
> Deliver to the one that whitelists and run the spam checks for the others.
> 
> 
> 
> Kevin Bilbee
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > Darin Cox
> > Sent: Tuesday, October 17, 2006 12:37 PM
> > To: declude.junkmail@declude.com
> > Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude?
> >
> > It's actually more of an issue of how the mail server handles the
> > message.
> > In the case of multiple recipients, since there is only one message
> > file addressed to multiple recipients in the headers, it's either
> > deliver or not deliver unless you rewrite the headers to modify the
> > recipient list.  I think I'd rather not have the spam filtering system
> > alter that.  Add to the header, yes.  Alter the recipients, no.
> >
> > Also, I have not come across a situation where I wanted to let a
> > message go through to one recipient and not to others, except in the
> > situation of lists which is a whole other topic.
> >
> > Darin.
> >
> >
> > - Original Message -
> > From: "Dave Beckstrom" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Tuesday, October 17, 2006 3:11 PM
> > Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude?
> >
> >
> > I would call that a flaw, then, in how Declude processes the whitelist.
> >
> > I have a listserver email address for which I do not want email spam
> > checked.  This is because I don't want messages going out to the list
> > that say SPAM in the subject line.  Because nobody who is not a member
> > on the list can post to the list, there is no problem whitelisting the
> > "TO"
> > address
> > for mail sent to the list server email address.
> >
> > However, spammers will send an email to a dozen of our mail addresses
> > (12
> > recipients) one of which is the whitelised "TO" address for the
> > listserver.
> > Because of the way Declude processes the whitelist, that means that
> > the other 11 recipient receive the spam even though mail to them is
> > not whitelisted.
> >
> > That is a bad design on Declude's part, wouldn't you agree?  Anyone
> > else feel that this needs to be rectified?
> >
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > Darrell
> > > ([EMAIL PROTECTED])
> > > Sent: Tuesday, October 17, 2006 11:25 AM
> > > To: declude.junkmail@declu

[Declude.JunkMail] OT: Stupid Spammer Humor

[Dave Beckstrom]

Received a paypal phishing scheme spam this morning.  Note the url:


www.chainmailstore.com/scamerchantsrow/phpSecurePages/www.paypal.com/cgi-bin
/us/cmd/webscr-cmd=_login/index.php


I got a kick out of the scamerchantsrow in the url.  Scammer








---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Whitelisting flaw in Declude?

[Dave Beckstrom]

Hi Darin,

Thanks for the great explanation.   You always offer good feedback.   Thanks
to everyone else who replied, too.

Which is the lesser of two evils  --  Whitelist email to all recipients even
though only one recipient is in the whitelist; or ignore the whitelist
request entirely if the email has multiple recipients and only one of whom
is in the whitelist?



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
> Sent: Tuesday, October 17, 2006 2:37 PM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude?
> 
> It's actually more of an issue of how the mail server handles the message.
> In the case of multiple recipients, since there is only one message file
> addressed to multiple recipients in the headers, it's either deliver or
not
> deliver unless you rewrite the headers to modify the recipient list.  I
> think I'd rather not have the spam filtering system alter that.  Add to
the
> header, yes.  Alter the recipients, no.
> 
> Also, I have not come across a situation where I wanted to let a message
go
> through to one recipient and not to others, except in the situation of
lists
> which is a whole other topic.
> 
> Darin.
> 
> 
> - Original Message -
> From: "Dave Beckstrom" <[EMAIL PROTECTED]>
> To: 
> Sent: Tuesday, October 17, 2006 3:11 PM
> Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude?
> 
> 
> I would call that a flaw, then, in how Declude processes the whitelist.
> 
> I have a listserver email address for which I do not want email spam
> checked.  This is because I don't want messages going out to the list that
> say SPAM in the subject line.  Because nobody who is not a member on the
> list can post to the list, there is no problem whitelisting the "TO"
address
> for mail sent to the list server email address.
> 
> However, spammers will send an email to a dozen of our mail addresses (12
> recipients) one of which is the whitelised "TO" address for the
listserver.
> Because of the way Declude processes the whitelist, that means that the
> other 11 recipient receive the spam even though mail to them is not
> whitelisted.
> 
> That is a bad design on Declude's part, wouldn't you agree?  Anyone else
> feel that this needs to be rectified?
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Darrell
> > ([EMAIL PROTECTED])
> > Sent: Tuesday, October 17, 2006 11:25 AM
> > To: declude.junkmail@declude.com
> > Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude?
> >
> > If one user is whitelisted they all will be whitelisted for that email.
> > There are some things you can do to prevent this like BYPASSWHITELIST
> test.
> >
> > Darre;;
> >
> > ----
> > Check out http://www.invariantsystems.com for utilities for Declude And
> > Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration,
> MRTG
> > Integration, and Log Parsers.
> >
> > - Original Message -
> > From: "Dave Beckstrom" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Tuesday, October 17, 2006 11:18 AM
> > Subject: [Declude.JunkMail] Whitelisting flaw in Declude?
> >
> >
> > If an email is received that is addressed to multiple recipients, one of
> > whom is whitelisted, does Declude treat the email as whitelisted for all
> > recipients?
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Whitelisting flaw in Declude?

[Dave Beckstrom]

I would call that a flaw, then, in how Declude processes the whitelist.

I have a listserver email address for which I do not want email spam
checked.  This is because I don't want messages going out to the list that
say SPAM in the subject line.  Because nobody who is not a member on the
list can post to the list, there is no problem whitelisting the "TO" address
for mail sent to the list server email address.

However, spammers will send an email to a dozen of our mail addresses (12
recipients) one of which is the whitelised "TO" address for the listserver.
Because of the way Declude processes the whitelist, that means that the
other 11 recipient receive the spam even though mail to them is not
whitelisted.

That is a bad design on Declude's part, wouldn't you agree?  Anyone else
feel that this needs to be rectified?



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darrell
> ([EMAIL PROTECTED])
> Sent: Tuesday, October 17, 2006 11:25 AM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude?
> 
> If one user is whitelisted they all will be whitelisted for that email.
> There are some things you can do to prevent this like BYPASSWHITELIST
test.
> 
> Darre;;
> 
> 
> Check out http://www.invariantsystems.com for utilities for Declude And
> Imail.  IMail/Declude Overflow Queue Monitoring, SURBL/URI integration,
MRTG
> Integration, and Log Parsers.
> 
> - Original Message -
> From: "Dave Beckstrom" <[EMAIL PROTECTED]>
> To: 
> Sent: Tuesday, October 17, 2006 11:18 AM
> Subject: [Declude.JunkMail] Whitelisting flaw in Declude?
> 
> 
> If an email is received that is addressed to multiple recipients, one of
> whom is whitelisted, does Declude treat the email as whitelisted for all
> recipients?
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Whitelisting flaw in Declude?

[Dave Beckstrom]

If an email is received that is addressed to multiple recipients, one of
whom is whitelisted, does Declude treat the email as whitelisted for all
recipients?





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting SMTP connection patterns

[Dave Beckstrom]

Jay,

I can tell you why it didn't run for you.  You have to turn DEP (Data
Execution Prevention) off on the server.   That will eliminate the BSOD and
blackice will run flawlessly.



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay
> Sudowski - Handy Networks LLC
> Sent: Thursday, October 12, 2006 8:46 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> 
> Well, it didn't run for us.  We tried and it caused random BSOD and ISS
> wouldn't provide any support.
> 
> -Jay
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> Beckstrom
> Sent: Thursday, October 12, 2006 7:38 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> 
> Blackice runs perfect on Windows 2003 server.  I posted the install
> instructions on this list a couple of weeks ago.
> 
> Craig -- I believe some email servers will open a secondary connection
> as
> part of their spam checking.  In that case, you might see 2 connections
> which would be legitimate.
> 
> What setting did you change in blackice to drop those IPs with multiple
> connections?
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Jay
> > Sudowski - Handy Networks LLC
> > Sent: Thursday, October 12, 2006 7:59 PM
> > To: declude.junkmail@declude.com
> > Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> >
> > Of course, BlackIce does not support Windows 2003.
> >
> > -Jay
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > Craig Edmonds
> > Sent: Thursday, October 12, 2006 3:51 PM
> > To: declude.junkmail@declude.com
> > Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> > Importance: High
> >
> > That's why I now use Blackice Server from IIS.
> >
> > It can detect multiple smtp connections and close ips down
> > automatically.
> >
> > Its pretty slick.
> >
> > Kindest Regards
> > Craig Edmonds
> > 123 Marbella Internet
> > W: www.123marbella.com
> >
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Dave
> > Beckstrom
> > Sent: Thursday, October 12, 2006 11:24 PM
> > To: declude.junkmail@declude.com
> > Subject: [Declude.JunkMail] Interesting SMTP connection patterns
> >
> > Yesterday I took a snapshot of the SMTP connections active on our
> > server.  I
> > then did a reverse IP to find out where they were from.
> >
> > Below are the results.  You can see someone from Thailand had 5 SMTP
> > connections active and Spain had 4.  You can also see that only 3 of
> the
> > IPS
> > connected were for potentially legitimate email.  We don't get any
> > legitimate email from other Countries so everything not from the USA
> > would
> > be spam.
> >
> > Any idea why a spammer would open more than one SMTP connection?
> >
> >
> > 202.139.211.241 5   Thailand
> > 88.0.230.26 4   Spain
> > 71.55.71.1382   USA
> > 87.219.166.92   Spain
> > 213.85.39.108   1   Russian Federation
> > 84.77.107.183   1   Spain
> > 83.131.106.234  1   Croatia
> > 84.61.135.611   Germany
> > 83.84.74.2191   Netherlands
> > 90.9.36.180 1   France
> > 83.167.108.79   1   Russian Federation
> > 67.172.162.33   1   USA
> > 84.54.248.961   Russian Federation
> > 86.75.242.215   1   France
> > 201.208.171.250 1   Venezuela
> > 88.204.240.177  1   Kazakstan
> > 82.158.0.2371   Spain
> > 69.30.246.125   1   USA
> > 200.168.86.224  1   Brazil
> > 83.167.108.44   1  Russian Federation
> > 75.41.79.2031   USA
> > 200.206.252.123 1   Brazil
> > 84.60.109.148   1   Germany
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe,
> > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
> > Declude.JunkMail".  The archives can be found at
> > http://www.mail-archive.com.
> >
> >
> >
> >
> > ---
> > This E-mail came from

RE: [Declude.JunkMail] Interesting SMTP connection patterns

[Dave Beckstrom]

Darrell,

I wondered if that might be the case.  Thanks for the info!

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darrell
> ([EMAIL PROTECTED])
> Sent: Thursday, October 12, 2006 4:44 PM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Interesting SMTP connection patterns
> 
> Dave,
> 
> That is really not that uncommon.  I see this with very aggressive
spammers
> who are trying to get the most spam through in the least amount of time
and
> have no disregard for crashing the server they are sending spam to...
> 
> Darrell
>  ---
> Check out http://www.invariantsystems.com for utilities for Declude,
Imail,
> mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI
> integration, MRTG Integration, and Log Parsers.
> 
> 
> Dave Beckstrom writes:
> 
> > Yesterday I took a snapshot of the SMTP connections active on our
server.  I
> > then did a reverse IP to find out where they were from.
> >
> > Below are the results.  You can see someone from Thailand had 5 SMTP
> > connections active and Spain had 4.  You can also see that only 3 of the
IPS
> > connected were for potentially legitimate email.  We don't get any
> > legitimate email from other Countries so everything not from the USA
would
> > be spam.
> >
> > Any idea why a spammer would open more than one SMTP connection?
> >
> >
> > 202.139.211.241 5   Thailand
> > 88.0.230.26 4   Spain
> > 71.55.71.1382   USA
> > 87.219.166.92   Spain
> > 213.85.39.108   1   Russian Federation
> > 84.77.107.183   1   Spain
> > 83.131.106.234  1   Croatia
> > 84.61.135.611   Germany
> > 83.84.74.2191   Netherlands
> > 90.9.36.180 1   France
> > 83.167.108.79   1   Russian Federation
> > 67.172.162.33   1   USA
> > 84.54.248.961   Russian Federation
> > 86.75.242.215   1   France
> > 201.208.171.250 1   Venezuela
> > 88.204.240.177  1   Kazakstan
> > 82.158.0.2371   Spain
> > 69.30.246.125   1   USA
> > 200.168.86.224  1   Brazil
> > 83.167.108.44   1  Russian Federation
> > 75.41.79.2031   USA
> > 200.206.252.123 1   Brazil
> > 84.60.109.148   1   Germany
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting SMTP connection patterns

[Dave Beckstrom]

Blackice runs perfect on Windows 2003 server.  I posted the install
instructions on this list a couple of weeks ago.

Craig -- I believe some email servers will open a secondary connection as
part of their spam checking.  In that case, you might see 2 connections
which would be legitimate.

What setting did you change in blackice to drop those IPs with multiple
connections?



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay
> Sudowski - Handy Networks LLC
> Sent: Thursday, October 12, 2006 7:59 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> 
> Of course, BlackIce does not support Windows 2003.
> 
> -Jay
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Craig Edmonds
> Sent: Thursday, October 12, 2006 3:51 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> Importance: High
> 
> That's why I now use Blackice Server from IIS.
> 
> It can detect multiple smtp connections and close ips down
> automatically.
> 
> Its pretty slick.
> 
> Kindest Regards
> Craig Edmonds
> 123 Marbella Internet
> W: www.123marbella.com
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> Beckstrom
> Sent: Thursday, October 12, 2006 11:24 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Interesting SMTP connection patterns
> 
> Yesterday I took a snapshot of the SMTP connections active on our
> server.  I
> then did a reverse IP to find out where they were from.
> 
> Below are the results.  You can see someone from Thailand had 5 SMTP
> connections active and Spain had 4.  You can also see that only 3 of the
> IPS
> connected were for potentially legitimate email.  We don't get any
> legitimate email from other Countries so everything not from the USA
> would
> be spam.
> 
> Any idea why a spammer would open more than one SMTP connection?
> 
> 
> 202.139.211.241 5 Thailand
> 88.0.230.26   4   Spain
> 71.55.71.138  2   USA
> 87.219.166.9  2   Spain
> 213.85.39.108 1   Russian Federation
> 84.77.107.183 1   Spain
> 83.131.106.2341   Croatia
> 84.61.135.61  1   Germany
> 83.84.74.219  1   Netherlands
> 90.9.36.180   1   France
> 83.167.108.79 1   Russian Federation
> 67.172.162.33 1   USA
> 84.54.248.96  1   Russian Federation
> 86.75.242.215 1   France
> 201.208.171.250   1   Venezuela
> 88.204.240.1771   Kazakstan
> 82.158.0.237  1   Spain
> 69.30.246.125 1   USA
> 200.168.86.2241   Brazil
> 83.167.108.44 1  Russian Federation
> 75.41.79.203  1   USA
> 200.206.252.123   1   Brazil
> 84.60.109.148 1   Germany
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe,
> just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
> Declude.JunkMail".  The archives can be found at
> http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting SMTP connection patterns

[Dave Beckstrom]

Yesterday I took a snapshot of the SMTP connections active on our server.  I
then did a reverse IP to find out where they were from.

Below are the results.  You can see someone from Thailand had 5 SMTP
connections active and Spain had 4.  You can also see that only 3 of the IPS
connected were for potentially legitimate email.  We don't get any
legitimate email from other Countries so everything not from the USA would
be spam.

Any idea why a spammer would open more than one SMTP connection?  


202.139.211.241 5   Thailand
88.0.230.26 4   Spain   
71.55.71.1382   USA
87.219.166.92   Spain
213.85.39.108   1   Russian Federation
84.77.107.183   1   Spain
83.131.106.234  1   Croatia
84.61.135.611   Germany
83.84.74.2191   Netherlands 
90.9.36.180 1   France
83.167.108.79   1   Russian Federation
67.172.162.33   1   USA
84.54.248.961   Russian Federation
86.75.242.215   1   France
201.208.171.250 1   Venezuela
88.204.240.177  1   Kazakstan
82.158.0.2371   Spain
69.30.246.125   1   USA
200.168.86.224  1   Brazil
83.167.108.44   1  Russian Federation
75.41.79.2031   USA
200.206.252.123 1   Brazil
84.60.109.148   1   Germany





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] picture spam

[Dave Beckstrom]

 




>You guys should have made a deal with Pete instead of CommTouch.  Sniffer
blows it >out of the water and he has no licensing restrictions.  IMO of
course.
>
>Matt


Matt, 

They should have made a deal with Pete and done it so as to keep the cost
down.  At $295 a year it wasn't priced unreasonably.  Now, at close to $500
a year it hurts to fork out that kind of money simply to block some
additional spam.

Email is strictly a money pit for us.  It is not a source of revenue.
Forking out $1,000 a year or so for Declude and Sniffer is a lot of money
just to deal with spam.

Personally, I think it should be legal to hunt down spammers and hang them
from the nearest tree.   









---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] picture spam

[Dave Beckstrom]

Chris,

 

According to Declude’s
web site, any business that provides email to customers can’t use
commtouch.  That pretty well rules out most of the people on this list.

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chris
Sent: Thursday, October 12, 2006
9:11 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail]
picture spam



 

A one time cost of 195.00 is not a large
portion of your revenue and it is your option to not implement this or
not…

 



 Chris 

 

 

 

 



 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Thursday, October 12, 2006
9:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail]
picture spam



 

...and give a large part of our revenue to
Commtouch?

 

Provide a feasible way to justify the
additional costs for our existing customers and service contracts! 

THEN we could talk about Commtouch.

 

BTW: even if it's hard work to maintain a
reliable spam filter it's not an impossible thing. years of contribution from
our own researches, creation of text filters, publication of new spam and
filter signs, developement of - in declude long time and still missing -
additional external tests allowed and still allows us to have reliable filters
and no image spam in my inbox. The question is why Declude has become a
competitor of our work from what it was some years ago: an excellent tool for
us admins to do our own hard work.

 

Looking at your pricing I can see anywhere
limitations based on users. What if I have a single gatewayed domain?

 

Markus

 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chris
Sent: Thursday, October 12, 2006
3:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail]
picture spam

Guys, Commtouch hasn’t missed any,
stop making things hard on yourselves…..

 



 

Chris 

 

 

 

 



 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Wednesday, October 11, 2006
5:17 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail]
picture spam



 



Sorbs-DUL and NJABL Dynablock look to be the best. Although
they miss lots.





 





5-10's has been discontinued.





 





- Original Message - 







From: Dave
Marchette 





To: declude.junkmail@declude.com






Sent: Wednesday, October
11, 2006 3:53 PM





Subject: RE: [Declude.JunkMail]
picture spam





 



Thanks all for the various
suggestions.  Agreed- combo is the way to use that test, for sure.  A
bit OT, but what is the popular and accurate DUL database these days?  How
accurate is fiveten at DUL lookups?  

 

 

 

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Wednesday, October 11, 2006
12:49 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail]
picture spam



 



I combo the graphics hit (jpg, gif or png) with:





 





1.  bad DNS - None or timeout





 





2.  bad language (eastern European iso-8859-2) or
Cyrillic (koi8-r or iso-8859-5), etc





 





3.  cmdspace





 





4.  good DUL IP lists/tests





 





5.  having forged your local domain.





 





I still get 5-10 a day. It is a pain.





 





 







- Original Message - 





From: Dave
Marchette 





To: declude.junkmail@declude.com






Sent: Wednesday, October
11, 2006 12:08 PM





Subject: [Declude.JunkMail]
picture spam





 



Has anyone figured out a reasonable way to use Declude to
minimize picture spam?  Sniffer is missing most.  They are sent from
fresh hosts, so RBL’s don’t catch them, and there is no target, so
INVuribl misses them as well.   Associates of ours are using Barracuda
to stop most successfully, so it is at least possible.   Ideas are
welcomed. 

 

Dave 

 

   


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 




---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 




---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 










---This E-mail came from the Decl

[Declude.JunkMail] INV-URIBL Scoring?

[Dave Beckstrom]

Hi Guys,


Considering that INV-URIBL looks at just the links contained in known spam,
is it safe to set the weight on this test so high that this single test
would trigger a hold or delete weight?

Right now I have it set to score fairly low, and it adds to the total score,
but would not cause a hold without other tests adding to the weight. 





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Blocking these?

[Dave Beckstrom]

Hi John,

Thanks for the info on the monthly.  I didn't know they offered that.  They
charge $500 a year for a renewal.

I own my company so either way the $500 comes out of my pocket.  I spent a
lot of money in the last month, which is why I don't want to spend another
$500 right now.

I'd like to see it made legal to hang anyone caught spamming.  :)

You know what I think is the worst spam?  The political spam.  Any
politician who sends me spam asking me to vote for them is guaranteed that I
will vote against them!



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John
Doyle
> Sent: Thursday, October 05, 2006 1:38 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Blocking these?
> 
> Dave
> For goodness sake, call sniffer up, they offer a monthy subscription for I
> think less than 30 dollars. Put it on your credit card and get your
company
> to reimburse you next month and send them a check for the 12 months and
it's
> done. I'd hate to think what's getting though without some sort of added
> filter
> like sniffer.
> 
> John
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave
> Beckstrom
> Sent: Wednesday, October 04, 2006 8:42 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Blocking these?
> 
> 
> How are you guys blocking something like the spam below?
> 
> There is no URL to block on.  They keep bastardizing words in the body of
> the email to the point where you can't hardly block based on the content.
> 
> What do you guys do with these?
> 
> 
> 
> -Original Message-
> From: Louis Rubin [mailto:[EMAIL PROTECTED]
> Sent: Sunday, November 05, 2006 8:48 AM
> To: 
> Subject: Chavez accused
> 
> THIS  THURS DAY OCTOBER 5 2006 BIG NEWS RELEASED ON CR SVF!!!
> DON'T MISS THIS INVESTMENT MOMENT, PLACE 'CRSVF' ON THE RA`DAR!!!
> 
> 
> T r a d e Ale rt: THURSDAY, October 05, 2006
> 'STOCK': CRSVF.OB
> Current  Pri ce : $0.18
> Pr evClose   :  $0.19
> Recommendation: ST RO NG B UY
> 
> WATCH THIS  S TOCK  GO HIGHER AND RI SE
> DON'T M I SS THIS   IN VES TMENT MOMENT, PLACE CRSVF ON THE   RA DAR!!!
> 
> About Capital Reserve Canada:
> CRC is an oil and gas ser vices comp any based in Edmonton, Alberta.
> Through its wholly owned subsidiary, KCP Innovative Services, Inc., CRC
> offers technologically tools for use in four areas of the industry.
> The first aids in testing & development of newly found resources; another
> measure existing wells' productivity; and the third hastens well
> abandonment, ensuring compliance with regulatory emission guidelines.
> The fourth, through its pro prie tary hardware and software technologies,
is
> used to determine the profitability of coal bed methane deposits, which
may
> be developed and sold as natural gas.
> 
> 
> CRC has a second wholly owned subsidiary, Two Hills Environmental, to
assist
> with problem waste from oil & gas companies, and provide undergro und
> storage.
> 
> 
> ADD THIS GE M TO YOUR  PORTFOLIO  AND WATCH IT TRADE ON THURSDAY,
> October
> 05, 2006 !!
> TR ADE  SM ART AND W I N WITH CRSVF!!!
> Start to buy at 10:30 AM , October 05 2006
> It will blow up
> 
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Blocking these?

[Dave Beckstrom]

Darin,

No, I believe sniffer stopped completely.

Here is a header from another one that just came through. Same stock spam.
I can add a from filter for stocknews but that won't be effective very long.
It scored a 4 for having no SPF record and for originating outside the US.


Return-Path: <[EMAIL PROTECTED]> Thu Oct 05 10:35:03 2006
Received: from unusedaddr3-29.dnet.pl [87.239.3.29] by perseus.sixthweb.com
with SMTP;
   Thu, 5 Oct 2006 10:35:03 -0500
Return-Path: <[EMAIL PROTECTED]>
Received: from 129.196.250.12 (HELO mx1.danahermail.com)
 by atvconnection.com with esmtp (KK0844V0HB QO6P)
 id ZP9WBI-G8PVG0-8B
 for [EMAIL PROTECTED]; Thu, 5 Nov 2006 15:32:01 -0060
From: "Paulette Broussard" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: a Washington 
Date: Thu, 5 Nov 2006 15:32:01 -0060
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Thread-Index: Aca6QLM7WBUW3YPHNFDYSDP5TN93PJ==
X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail.
X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 224,
weight 3)
X-Note: 
X-Note: Spam Score: [4]
X-Note: Scan Time: 10:35:53 on 05 Oct 2006
X-Note: Spool File: 34526525.eml
X-Note: Server Name: unusedaddr3-29.dnet.pl
X-Note: SMTP Sender: [EMAIL PROTECTED]
X-Note: Reverse DNS & IP: unusedaddr3-29.dnet.pl [87.239.3.29]
X-Note: Recipient(s): [EMAIL PROTECTED]
X-Note: Country Chain: UNITED STATES->POLAND->destination
X-Note: Failed Weights: SPFUNKNOWN [1], Filter_Country [3]
X-Note: 




> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
> Sent: Thursday, October 05, 2006 9:32 AM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Blocking these?
> 
> Hmmm... I thought it did run with the old data file.  At the very least
you
> could run with the trial key, which would use an older rulebase.
> 
> Note that running an old rulebase will mean much of this rapidly changing
> spam will get through.
> 
> Headers would help...
> 
> Darin.
> 
> 
> - Original Message -
> From: "Dave Beckstrom" <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, October 05, 2006 10:07 AM
> Subject: RE: [Declude.JunkMail] Blocking these?
> 
> 
> Darin,
> 
> I let my Sniffer subscription lapse for a few weeks until I could afford
to
> renew it.  I thought it would continue to run with whatever the latest
data
> file was as of the day that it expired and that it just wouldn't be as
> current without the updates.  I assumed it worked that way because that's
> how the trial works -- it runs but with an old data file.
> 
> Well, apparently not.  Apparently it doesn't run at all any more.
> 
> I thought perhaps someone had an idea on how to block these that didn't
> require sniffer.  Just as a temporary solution until I purchase the
renewal
> in a week or two.
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darin
> Cox
> > Sent: Thursday, October 05, 2006 8:25 AM
> > To: declude.junkmail@declude.com
> > Subject: Re: [Declude.JunkMail] Blocking these?
> >
> > Sniffer catches most of these.  What do the headers look like?
> >
> > Darin.
> >
> >
> > - Original Message -
> > From: "Dave Beckstrom" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Wednesday, October 04, 2006 11:42 PM
> > Subject: [Declude.JunkMail] Blocking these?
> >
> >
> > How are you guys blocking something like the spam below?
> >
> > There is no URL to block on.  They keep bastardizing words in the body
of
> > the email to the point where you can't hardly block based on the
content.
> >
> > What do you guys do with these?
> >
> >
> >
> > -Original Message-
> > From: Louis Rubin [mailto:[EMAIL PROTECTED]
> > Sent: Sunday, November 05, 2006 8:48 AM
> > To: 
> > Subject: Chavez accused
> >
> > THIS  THURS DAY OCTOBER 5 2006 BIG NEWS RELEASED ON CR SVF!!!
> > DON'T MISS THIS INVESTMENT MOMENT, PLACE 'CRSVF' ON THE RA`DAR!!!
> >
> >
> > T r a d e Ale rt: THURSDAY, October 05, 2006
> > 'STOCK': CRSVF.OB
> > Current  Pri ce : $0.18
> > Pr evClose   :  $0.19
> > Recommendation: ST RO NG B UY
> >
> > WATCH THIS  S TOCK  GO HIGHER AND RI SE
> > DON'T

RE: [Declude.JunkMail] Blocking these?

[Dave Beckstrom]

Darin,

I let my Sniffer subscription lapse for a few weeks until I could afford to
renew it.  I thought it would continue to run with whatever the latest data
file was as of the day that it expired and that it just wouldn't be as
current without the updates.  I assumed it worked that way because that's
how the trial works -- it runs but with an old data file.

Well, apparently not.  Apparently it doesn't run at all any more.

I thought perhaps someone had an idea on how to block these that didn't
require sniffer.  Just as a temporary solution until I purchase the renewal
in a week or two.



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
> Sent: Thursday, October 05, 2006 8:25 AM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Blocking these?
> 
> Sniffer catches most of these.  What do the headers look like?
> 
> Darin.
> 
> 
> - Original Message -
> From: "Dave Beckstrom" <[EMAIL PROTECTED]>
> To: 
> Sent: Wednesday, October 04, 2006 11:42 PM
> Subject: [Declude.JunkMail] Blocking these?
> 
> 
> How are you guys blocking something like the spam below?
> 
> There is no URL to block on.  They keep bastardizing words in the body of
> the email to the point where you can't hardly block based on the content.
> 
> What do you guys do with these?
> 
> 
> 
> -Original Message-
> From: Louis Rubin [mailto:[EMAIL PROTECTED]
> Sent: Sunday, November 05, 2006 8:48 AM
> To: 
> Subject: Chavez accused
> 
> THIS  THURS DAY OCTOBER 5 2006 BIG NEWS RELEASED ON CR SVF!!!
> DON'T MISS THIS INVESTMENT MOMENT, PLACE 'CRSVF' ON THE RA`DAR!!!
> 
> 
> T r a d e Ale rt: THURSDAY, October 05, 2006
> 'STOCK': CRSVF.OB
> Current  Pri ce : $0.18
> Pr evClose   :  $0.19
> Recommendation: ST RO NG B UY
> 
> WATCH THIS  S TOCK  GO HIGHER AND RI SE
> DON'T M I SS THIS   IN VES TMENT MOMENT, PLACE CRSVF ON THE   RA DAR!!!
> 
> About Capital Reserve Canada:
> CRC is an oil and gas ser vices comp any based in Edmonton, Alberta.
> Through its wholly owned subsidiary, KCP Innovative Services, Inc., CRC
> offers technologically tools for use in four areas of the industry.
> The first aids in testing & development of newly found resources; another
> measure existing wells' productivity; and the third hastens well
> abandonment, ensuring compliance with regulatory emission guidelines.
> The fourth, through its pro prie tary hardware and software technologies,
is
> used to determine the profitability of coal bed methane deposits, which
may
> be developed and sold as natural gas.
> 
> 
> CRC has a second wholly owned subsidiary, Two Hills Environmental, to
assist
> with problem waste from oil & gas companies, and provide undergro und
> storage.
> 
> 
> ADD THIS GE M TO YOUR  PORTFOLIO  AND WATCH IT TRADE ON THURSDAY,
> October
> 05, 2006 !!
> TR ADE  SM ART AND W I N WITH CRSVF!!!
> Start to buy at 10:30 AM , October 05 2006
> It will blow up
> 
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Blocking these?

[Dave Beckstrom]

How are you guys blocking something like the spam below?  

There is no URL to block on.  They keep bastardizing words in the body of
the email to the point where you can't hardly block based on the content. 

What do you guys do with these?



-Original Message-
From: Louis Rubin [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 05, 2006 8:48 AM
To: 
Subject: Chavez accused 

THIS  THURS DAY OCTOBER 5 2006 BIG NEWS RELEASED ON CR SVF!!!
DON'T MISS THIS INVESTMENT MOMENT, PLACE 'CRSVF' ON THE RA`DAR!!!


T r a d e Ale rt: THURSDAY, October 05, 2006
'STOCK': CRSVF.OB
Current  Pri ce : $0.18
Pr evClose   :  $0.19
Recommendation: ST RO NG B UY 

WATCH THIS  S TOCK  GO HIGHER AND RI SE 
DON'T M I SS THIS   IN VES TMENT MOMENT, PLACE CRSVF ON THE   RA DAR!!!

About Capital Reserve Canada:
CRC is an oil and gas ser vices comp any based in Edmonton, Alberta. 
Through its wholly owned subsidiary, KCP Innovative Services, Inc., CRC
offers technologically tools for use in four areas of the industry. 
The first aids in testing & development of newly found resources; another
measure existing wells' productivity; and the third hastens well
abandonment, ensuring compliance with regulatory emission guidelines. 
The fourth, through its pro prie tary hardware and software technologies, is
used to determine the profitability of coal bed methane deposits, which may
be developed and sold as natural gas.


CRC has a second wholly owned subsidiary, Two Hills Environmental, to assist
with problem waste from oil & gas companies, and provide undergro und
storage.


ADD THIS GE M TO YOUR  PORTFOLIO  AND WATCH IT TRADE ON THURSDAY, October
05, 2006 !!
TR ADE  SM ART AND W I N WITH CRSVF!!!
Start to buy at 10:30 AM , October 05 2006
It will blow up






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Crisis after upgrade to 4.3.14 from 4.3.7

[Dave Beckstrom]

Chris,


Will Declude be repackaging the install with the defaults set to mimic the old
behavior?

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of chris
Sent: Friday, September 29, 2006
9:29 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail]
Crisis after upgrade to 4.3.14 from 4.3.7



 

There is a warning added to your account
pages that show this new upgrades effect after installation

 



 

Chris Asaro

Technical Support Engineer

Declude

Your Email security is our business

866.332.5833  toll free
978.499.2933  office
978.477.8930  e-fax
[EMAIL PROTECTED]
www.declude.com

 

 

 

 



 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Harry Vanderzand
Sent: Friday, September 29, 2006
10:23 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail]
Crisis after upgrade to 4.3.14 from 4.3.7



 

I am going to do the upgrade again this
time putting the following commands in the cfg file:

 

OUTBOUNDSCANNINGSPAM ON
INBOUNDSCANNINGSPAM ON

 

Obviously this
should not have happened and it was unfortunate.  I believe Declude is
getting a message ready for everyone.

 

I will let you
know the results shortly to confirm that that was it

 

Thanks for your
responses



 



Harry Vanderzand 
inTown
Internet & Computer Services 
519-741-1222



 





 







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of chris
Sent: Friday, September 29, 2006
10:08 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail]
Crisis after upgrade to 4.3.14 from 4.3.7

Nick,  I will definitely post these
results, but I have yet to hear from harry, I believe the response from the
first user is the solution!!!

 



 

Chris Asaro

Technical Support Engineer

Declude

Your Email security is our business

866.332.5833  toll free
978.499.2933  office
978.477.8930  e-fax
[EMAIL PROTECTED]
www.declude.com

 

 

 

 



 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer
Sent: Friday, September 29, 2006
9:55 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail]
Crisis after upgrade to 4.3.14 from 4.3.7



 

Harry,

Please post to the list the details - 

Thanks

-Nick

chris wrote: 

Harry


 

 

Contact me off the list if you can, I
would like to help

 



 

Chris Asaro



Technical Support Engineer



Declude



Your Email security is our business



866.332.5833  toll free
978.499.2933  office
978.477.8930  e-fax
[EMAIL PROTECTED]
www.declude.com

 

 

 

 



 









From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harry Vanderzand
Sent: Friday, September 29, 2006
9:15 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Crisis
after upgrade to 4.3.14 from 4.3.7



 



Last night at 8:11PM I upgraded from 4.3.7 to 4.3.14





 





From that point on we stopped catching all spam for these
clients that have their own mail server.  We just filter their mail for
spam and pass it on.





 





I just reverted back to 4.3.7 and now we are catching
spam again for them





 





We catch over 4000 spam messages per day for one
of these clients alone so you can imagine their complaint this morning.





 





Anyone know what would have caused this?





 





Thank you





 



Harry Vanderzand 
inTown
Internet & Computer Services 
11 Belmont Ave. W., Kitchener, ON,N2M 1L2
519-741-1222



 




---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 










---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.
---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.
---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.

RE: [Declude.JunkMail] Blackice Server Settings

[Dave Beckstrom]

I’m leaving town
in a little bit and I won’t be back until Sunday.  If someone
reminds me on Sunday or Monday I’d be happy to post the settings.

 

Are we able to post
attachments to this list?

 











From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Mike Wiegers
Sent: Thursday, September 21, 2006
12:09 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail]
Blackice Server Settings



 

Wanted
to start a new thread on this.

 

Dave,

 

Could
you post the ini settings for BlackIce that can help with mail servers?

 

Thanks

 








---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.
---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.

[Declude.JunkMail] Blackice Server (was] Spam Spike)

[Dave Beckstrom]

It is a little tricky from the standpoint that it does not automatically
block the IPs and Blackice does not document how to enable this feature.  I
actually got it working some years ago when I found a guy who had written
their software manual.  He and I corresponded and he helped me get it
figured out.  Out-of-the-box it reports on email harvesting but does not
block the IPs.

There is an Excel document that needs some parameter changes and there is an
.INI file that also needs a change added to it.

If anyone buys the software and needs help configuring it, I can post the
necessary changes to the list.  

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn
\
> WCNet
> Sent: Wednesday, September 20, 2006 3:15 PM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Spam Spike
> 
> How tricky is it to configure this?  Current price I find is $300.
> 
> G.Z.
> 
> 
> ----- Original Message -
> From: "Dave Beckstrom" <[EMAIL PROTECTED]>
> To: 
> Sent: Wednesday, September 20, 2006 1:08 PM
> Subject: RE: [Declude.JunkMail] Spam Spike
> 
> 
> I run Blackice Server on the mail server.  It drops the connecting IP if
we
> receive more than a user specified number of attempts for non-existent
email
> addresses within a user specified time limit.  It then blocks that IP for
a
> user specified amount of time before removing the block.
> 
> It prevents email address harvesting from our server.
> 
> Not bad for a product that cost about $200 if I recall correctly.
> 
> A side benefit is that it stores a text file with the hostname/IP address
in
> a folder for every blocked IP.  Over time, I can see patterns and
> permanently block those IP ranges in my firewall if I so desire.
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Chris
> Anton
> > Sent: Tuesday, September 19, 2006 1:02 PM
> > To: declude.junkmail@declude.com
> > Subject: Re: [Declude.JunkMail] Spam Spike
> >
> > Darrell, We are averaging 40 to 50% on the processor.  I was just
> surprised because
> > in 3 years we haven't seen a spike this large.  Most of them are
> dictionary style.  But
> > since they aren't from the same IP, I don't think the imail 2006
> dictionary feature
> > would help us. Thoughts?
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Spike

[Dave Beckstrom]

I run Blackice Server on the mail server.  It drops the connecting IP if we
receive more than a user specified number of attempts for non-existent email
addresses within a user specified time limit.  It then blocks that IP for a
user specified amount of time before removing the block.

It prevents email address harvesting from our server.

Not bad for a product that cost about $200 if I recall correctly.

A side benefit is that it stores a text file with the hostname/IP address in
a folder for every blocked IP.  Over time, I can see patterns and
permanently block those IP ranges in my firewall if I so desire.



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris
Anton
> Sent: Tuesday, September 19, 2006 1:02 PM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Spam Spike
> 
> Darrell, We are averaging 40 to 50% on the processor.  I was just
surprised because
> in 3 years we haven't seen a spike this large.  Most of them are
dictionary style.  But
> since they aren't from the same IP, I don't think the imail 2006
dictionary feature
> would help us. Thoughts?
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 4.3.x and 3.1.x planned release

[Dave Beckstrom]

Still no fix for the broken image spam? 




> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
> Barker
> Sent: Friday, September 15, 2006 7:59 AM
> To: declude.junkmail@declude.com; declude.virus@declude.com
> Subject: [Declude.JunkMail] 4.3.x and 3.1.x planned release
> 
> The following items are being tested for Target Date release: 27 September
> 2006
> 
> 4.3.x
> --
> 
> DEC   FIX On occasion ZEROHOUR initialized two overlaping threads
> causing decludeproc crash
> 
> JMFIX IPBYPASS now takes place before WHITELIST
> 
> JMFIX X-COUNTRYCHAIN log entry no longer truncated
> 
> JMFIX DELETE_RECIPIENT removes the specified email address as
> per-user action only
> 
> JMFIX With HOLD if extra space after %DATE% incorrect behaviour
> was observed this is not been normalized
> 
> HIFIX CONCATENATELOGS with KEEPINDIVIDUALLOGS works correctly
> 
> JMADD BANCHARSET defined in the declude.cfg quarentines listed
> character sets
> 
> EVA   ADD With AVAFTERJM ON the JM Log displays message moved to virus
> folder
> 
> 3.1.x
> --
> 
> JMFIX IPBYPASS now takes place before WHITELIST
> 
> JMFIX X-COUNTRYCHAIN log entry no longer truncated
> 
> JMFIX DELETE_RECIPIENT removes the specified email address as
> per-user action only
> 
> JMFIX With HOLD if extra space after %DATE% incorrect behaviour
> was observed this is not been normalized
> 
> JMFIX Declude crash fix. Buffer Overflow reading the From: line in
> the Headers
> 
> HIFIX CONCATENATELOGS with KEEPINDIVIDUALLOGS works correctly
> 
> SMADD Decludeproc will not start without a valid domainlist.xml
> 
> In addition to bug fixes we are also working on wishlist items that we
have
> received regarding new tests. If you have any ideas of new tests you would
> like to see implemented please email your thoughts to me directly
> [EMAIL PROTECTED]
> 
> Thanks
> David B
> www.declude.com
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Re: Why is Declude Not Scanning This?

[Dave Beckstrom]

I see about 10 - 20 per day where Declude is broken and where it doesn't
scan the email and puts the Declude headers at the bottom.



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
> Bilbee
> Sent: Monday, September 04, 2006 10:10 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Re: Why is Declude Not Scanning This?
> 
> I have been seeing about 2-3 emails per month with out declude headers
> anywhere in the emil message. They have all been spam. No delcude headers
in
> the header or body.
> 
> 
> Kevin Bilbee
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> > Behalf Of David Dodell
> > Sent: Monday, September 04, 2006 7:33 PM
> > To: declude.junkmail@declude.com
> > Subject: [Declude.JunkMail] Re: Why is Declude Not Scanning This?
> >
> >
> > On Sep 4, 2006, at 4:58 PM, John T ((Lists)) wrote:
> >
> > > But you need to check the message body. There has been discussion
> > > about a
> > > string of spam that has bad headers where the Declude Headers end
> > > up at the
> > > bottom of the body
> >
> >
> > John, I have done so ... the only other part of the message is a JPG
> > attachment which has the actual "viewable" spam advertisement
> > ... did
> > not note any more header lines enclosed in the body of the message.
> >
> > David
> >
> >
> >
> > >
> > >> -Original Message-
> > >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
> > >> Of David
> > >> Dodell
> > >> Sent: Monday, September 04, 2006 3:16 PM
> > >> To: declude.junkmail@declude.com
> > >> Subject: [Declude.JunkMail] Re: Why is Declude Not Scanning This?
> > >>
> > >>> By anychance are the Declude headers all the way at the bottom of
> > >>> the
> > >>> message.  Also, in 8.x trains of Imail there were situations
> > >>> where the
> > >>> QueueManager could steal the message from Declude 2.x and
> > below and
> > >>> deliver
> > >>> it before Declude processed it.
> > >>
> > >> Darrell
> > >>
> > >> (1) No more headers were visible any place in either the message
> > >> header or header text
> > >>
> > >> (2) I'm running Imail 9.0 and Declude 4.All the latest releases
> > >>
> > >> Still perplexed ... only happens once in a while, otherwise all
> > >> working ok
> > >>
> > >>
> > >> ---
> > >> This E-mail came from the Declude.JunkMail mailing list.  To
> > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
> > >> "unsubscribe Declude.JunkMail".  The archives can be found at
> > >> http://www.mail-archive.com.
> > >
> > >
> > >
> > >
> > > ---
> > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
> > > "unsubscribe Declude.JunkMail".  The archives can be found at
> > > http://www.mail-archive.com.
> > >
> > >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be
> > found at http://www.mail-archive.com.
> >
> >
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Message Sniffer vs Commtouch?

[Dave Beckstrom]

My message sniffer is up for annual renewal. 

Commtouch is over 50% less expensive than message sniffer ($445 vs $195)

I have to choose between the more expensive message sniffer renewal or
trying commtouch.  I was wondering if anyone here has tried both products
and if so which of the two worked better?

All comments welcome.

Thanks!

Dave






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.