[Declude.JunkMail] OT: unixtools help
Hi Is there someone who can help me how to do this with unix tools: I want to sum up the two colums sc-bytes and cs-bytes from a logfile (see attachment). The output should be something like sc-bytes cs-bytes 2346465 8334526 Markus #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs(User-Agent) cs(Cookie) cs(Referer) 2003-08-31 00:34:00 123.123.123.123 - W3SVC10001 S2 217.199.0.35 80 GET /index_dw.htm - 200 0 4116 456 911 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) - http://search.virgilio.it/search/cgi/search.cgi 2003-08-31 00:34:21 123.123.123.123 - W3SVC10001 S2 217.199.0.35 80 GET /index.asp - 200 0 2349 370 9774 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) - - 2003-08-31 00:34:29 123.123.123.123 - W3SVC10001 S2 217.199.0.35 80 GET /images/snow_bg.gif - 200 0 4221 321 1161 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) ASPSESSIONIDCSBCCBBR=CPDBCIJAGPAGAEDCMMMDOPBH http://www.domain.com/index.asp 2003-08-31 00:34:35 123.123.123.123 - W3SVC10001 S2 217.199.0.35 80 GET /images/logo_christkindl-markt2_i.gif - 200 0 26185 339 4827 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) ASPSESSIONIDCSBCCBBR=CPDBCIJAGPAGAEDCMMMDOPBH http://www.domain.com/index.asp 2003-08-31 00:34:35 123.123.123.123 - W3SVC10001 S2 217.199.0.35 80 GET /_vti_bin/fpcount.exe Page=index.asp|Image=1 200 0 429 347 190 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) ASPSESSIONIDCSBCCBBR=CPDBCIJAGPAGAEDCMMMDOPBH http://www.domain.com/index.asp 2003-08-31 00:34:35 123.123.123.123 - W3SVC10001 S2 217.199.0.35 80 GET /images/logo_sudtirol_kl_ita.gif - 200 0 5111 334 1322 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) ASPSESSIONIDCSBCCBBR=CPDBCIJAGPAGAEDCMMMDOPBH http://www.domain.com/index.asp 2003-08-31 00:35:29 123.123.123.123 - W3SVC10001 S2 217.199.0.35 80 GET /index3.asp - 200 0 2152 474 20 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) ASPSESSIONIDCSBCCBBR=CPDBCIJAGPAGAEDCMMMDOPBH http://www.domain.com/index.asp 2003-08-31 00:35:36 123.123.123.123 - W3SVC10001 S2 217.199.0.35 80 GET /images/snow_bg.gif - 200 0 4221 322 1012 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) ASPSESSIONIDCSBCCBBR=CPDBCIJAGPAGAEDCMMMDOPBH http://www.domain.com/index3.asp 2003-08-31 00:35:44 123.123.123.123 - W3SVC10001 S2 217.199.0.35 80 GET /images/photo_startseite2.jpg - 200 0 40468 332 7291 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) ASPSESSIONIDCSBCCBBR=CPDBCIJAGPAGAEDCMMMDOPBH http://www.domain.com/index3.asp 2003-08-31 00:36:49 123.123.123.123 - W3SVC10001 S2 217.199.0.35 80 GET /index.asp - 200 0 2282 264 0 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) ASPSESSIONIDCSBCCBBR=CPDBCIJAGPAGAEDCMMMDOPBH - 2003-08-31 00:37:03 123.123.123.123 - W3SVC10001 S2 217.199.0.35 80 GET /images/snow_bg.gif - 200 0 4221 321 1032 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) ASPSESSIONIDCSBCCBBR=CPDBCIJAGPAGAEDCMMMDOPBH http://www.domain.com/index.asp
AW: [Declude.JunkMail] OT: unixtools help
Hi,
just try the good old awk!
excample:
$ awk 'BEGIN {sum=0} \
{sum += $14+$15} \
END {print \nSUM: sum}' logfile.txt
line BEGIN : initialzes the variable (sum)
next line : adds to variable the colums 14 and 15 (colums separated by one ore
more blanks)
line END : prints sum (of course you might want to see the result of adding);
logfile.txt is the input file.
please tell me if it worked.
greetings from good old germany
bernd
-Ursprungliche Nachricht-
Von: Markus Gufler [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 14. November 2003 11:27
An: [EMAIL PROTECTED]
Betreff: [Declude.JunkMail] OT: unixtools help
Hi
Is there someone who can help me how to do this with unix tools:
I want to sum up the two colums sc-bytes and cs-bytes from a logfile (see
attachment).
The output should be something like
sc-bytes cs-bytes
2346465 8334526
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] Request for additional filtering functionality
Matt: The log file points idea would be a great help - simply show how much each filter contributed. I can't imagine this would be very hard to implement.. would help a lot in figuring out the effectiveness of certain filters.. The idea of END has been discussed before and of course it is more prevalent to those of us that use a lot of filters. I have seen emails that have failed with a weight of 400 and we delete on 60. So the CPU could have taken care of other email instead of wasting time on the email that was deleted. We have seen a lot of help from the IMail delete action with IP4R tests. Deleting on 13 failed tests deletes a lot of spam before it even reaches Declude. Something like: End Weight60 in the global statement could be an effective approach. Of course and END or RETURN statement in the filter would be great too... I think a lot of these ideas are great and will help the product.. I am just wondering how one can explain all these features to someone coming new onboard? I guess that is where the archives come into play.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Thursday, November 13, 2003 9:48 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Request for additional filtering functionality Scott, As I continue to look for new potential in filtering, I have repeatedly come across some limitations which restrict what can be done effectively, difficulty in figuring the scoring of some variable filters, and challenges from the additional processing power required to counterbalance some filters, so I just wanted to request three different things which appear like they might be somewhat reasonable extensions to the current environment. I'm putting these all together in one message because, at least from my perspective, they are all related, and I didn't want to bother you repeatedly with such requests. Those requests are as follows: 1) Provide the score of a test in the logs, WARN function and %TESTSFAILED% variable. This would help with filters that have internal counterbalances or variable scoring so that an admin could quickly determine how many points were assessed. I would imagine that it could be turned on by way of one or three lines in the Global.cfg, i.e. SHOWPOINTSON or SHOWLOGPOINTS ON SHOWWARNPOINTS ON SHOWTESTSFAILEDPOINTS ON When on, this would add the points scored to each of the types of entries as follows: LOG: 11/13/2003 20:43:02 Q331903a90080bcc8 Msg failed IPLINKED ([Score: 7] Message failed IPLINKED test (189)). Action=WARN. WARN: X-RBL-Warning: IPLINKED: [Score: 7] Message failed IPLINKED test (226) TESTSFAILED: X-Weight: 16 (REVDNS [0], IPNOTINMX [0], IPLINKED [7], SPAMCOP [9]) These changes would not only make scoring without custom filters much easier, it would definitely make more advanced configurations much easier to score and therefore make the system as a whole easier to administrate. 2) Provide a method of defeating a custom filter (zero points) based on failing a specially marked test. Having this capability would along with the above requested feature would remove the need to write convoluted systems to counterbalance custom filters with ANTI filters (or whatever you want to call them). So instead of having entries for allowed character strings, base64 encoding, certificates, etc., listed in both a GIBBERISH and ANTI-GIBBERISH filter for instance could be instead be listed in just one file making implementation much easier, more straightforward and saving on processing power that might be required to parse a fully redundant ANTI filter. You might even explore the possibility of using an END function so that tests listed at the top of a custom filter file meant to defeat the test will stop the rest of the filter from being processed and scored as 0 in the event that a trigger is matched. I might suggest a configuration like the following: BODY ENDCONTAINSbase64 I believe that I could probably save between 10% and 30% of my processing power by having the ability to defeat a custom filter or at least not be required to use a combination of filters for counterbalancing. Custom filters with long lists of combinations are very expensive to process, and I have a feeling that my current dual 1 GHz server could only handle about 50,000 messages a day under the current configuration from what I am seeing in task manager (single Declude.exe processes reaching just over 50%). This is after I removed many of the extensive body filters that I was using for a short while. 3) Provide a method of defining a maximum and/or minimum number of points that a particular custom filter can score. This would allow for better use of filters that can produce multiple hits and are scored per hit. There have been a few occasions where I have attempted to code a filter where it increments the
[Declude.JunkMail] Web page options for end users
Hi all I have seen on here that someone had created a web page that would let the end users select the level of filtering they would like. I have searched for the article to no avail. I would be will to spend some $$ to get this if any one has it functional. Thanks Steve Keeling --- [This E-mail was scanned for viruses as a service to Keeling Inc. Customers] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Request for additional filtering functionality
As I continue to look for new potential in filtering, I have repeatedly come across some limitations which restrict what can be done effectively, difficulty in figuring the scoring of some variable filters, and challenges from the additional processing power required to counterbalance some filters, so I just wanted to request three different things which appear like they might be somewhat reasonable extensions to the current environment. I'm putting these all together in one message because, at least from my perspective, they are all related, and I didn't want to bother you repeatedly with such requests. Those requests are as follows: Thanks for the suggestions. Giving the number of people that are now using filters in Declude JunkMail, and the size of them, it's about time for us to expand them a bit. LOG: 11/13/2003 20:43:02 Q331903a90080bcc8 Msg failed IPLINKED ([Score: 7] Message failed IPLINKED test (189)). Action=WARN. WARN: X-RBL-Warning: IPLINKED: [Score: 7] Message failed IPLINKED test (226) These two will be changed to use Message failed IPLINKED test (line 189, weight 7). TESTSFAILED: X-Weight: 16 (REVDNS [0], IPNOTINMX [0], IPLINKED [7], SPAMCOP [9]) This can be done in the next release with a new %TESTSFAILEDWITHWEIGHTS% variable. 2) Provide a method of defeating a custom filter (zero points) based on failing a specially marked test. This will be in the next release. END instead of the weight will force the test to end. 3) Provide a method of defining a maximum and/or minimum number of points that a particular custom filter can score. A MAXWEIGHT option will be in the next release, that will allow you to define the maximum weight that the test can add. If the maximum weight is reached, processing will stop (so any negative weights would need to go at the beginning of the test), and the maximum weight will be used instead of the actual weight (IE if you have MAXWEIGHT 60, and the filter is at 55 points with a line that would add 10 points, processing would stop with a weight of 60, not 65). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Request for additional filtering functionality
Scott... Let me do a simple test.. Just in case it works.. Could I have a million dollars? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, November 14, 2003 9:44 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Request for additional filtering functionality As I continue to look for new potential in filtering, I have repeatedly come across some limitations which restrict what can be done effectively, difficulty in figuring the scoring of some variable filters, and challenges from the additional processing power required to counterbalance some filters, so I just wanted to request three different things which appear like they might be somewhat reasonable extensions to the current environment. I'm putting these all together in one message because, at least from my perspective, they are all related, and I didn't want to bother you repeatedly with such requests. Those requests are as follows: Thanks for the suggestions. Giving the number of people that are now using filters in Declude JunkMail, and the size of them, it's about time for us to expand them a bit. LOG: 11/13/2003 20:43:02 Q331903a90080bcc8 Msg failed IPLINKED ([Score: 7] Message failed IPLINKED test (189)). Action=WARN. WARN: X-RBL-Warning: IPLINKED: [Score: 7] Message failed IPLINKED test (226) These two will be changed to use Message failed IPLINKED test (line 189, weight 7). TESTSFAILED: X-Weight: 16 (REVDNS [0], IPNOTINMX [0], IPLINKED [7], SPAMCOP [9]) This can be done in the next release with a new %TESTSFAILEDWITHWEIGHTS% variable. 2) Provide a method of defeating a custom filter (zero points) based on failing a specially marked test. This will be in the next release. END instead of the weight will force the test to end. 3) Provide a method of defining a maximum and/or minimum number of points that a particular custom filter can score. A MAXWEIGHT option will be in the next release, that will allow you to define the maximum weight that the test can add. If the maximum weight is reached, processing will stop (so any negative weights would need to go at the beginning of the test), and the maximum weight will be used instead of the actual weight (IE if you have MAXWEIGHT 60, and the filter is at 55 points with a line that would add 10 points, processing would stop with a weight of 60, not 65). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Web page options for end users
I have seen on here that someone had created a web page that would let the end users select the level of filtering they would like. I have searched for the article to no avail. I would be will to spend some $$ to get this if any one has it functional. Quite a few of us have functional UIs. Ours runs within the IMail Web Messaging interface, while others build using ASP or Cold Fusion on IIS. The question, though, is what level of filtering means at your site. The beauty, and yet the curse, of Declude is that it allows such site-specific setups as to make a turnkey universal UI essentially impossible. Once you're more precise in your vision of the functions you'd need, you should post an official RFP to interested parties. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Request for additional filtering functionality
THANK YOU Scott! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, November 14, 2003 9:44 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Request for additional filtering functionality As I continue to look for new potential in filtering, I have repeatedly come across some limitations which restrict what can be done effectively, difficulty in figuring the scoring of some variable filters, and challenges from the additional processing power required to counterbalance some filters, so I just wanted to request three different things which appear like they might be somewhat reasonable extensions to the current environment. I'm putting these all together in one message because, at least from my perspective, they are all related, and I didn't want to bother you repeatedly with such requests. Those requests are as follows: Thanks for the suggestions. Giving the number of people that are now using filters in Declude JunkMail, and the size of them, it's about time for us to expand them a bit. LOG: 11/13/2003 20:43:02 Q331903a90080bcc8 Msg failed IPLINKED ([Score: 7] Message failed IPLINKED test (189)). Action=WARN. WARN: X-RBL-Warning: IPLINKED: [Score: 7] Message failed IPLINKED test (226) These two will be changed to use Message failed IPLINKED test (line 189, weight 7). TESTSFAILED: X-Weight: 16 (REVDNS [0], IPNOTINMX [0], IPLINKED [7], SPAMCOP [9]) This can be done in the next release with a new %TESTSFAILEDWITHWEIGHTS% variable. 2) Provide a method of defeating a custom filter (zero points) based on failing a specially marked test. This will be in the next release. END instead of the weight will force the test to end. 3) Provide a method of defining a maximum and/or minimum number of points that a particular custom filter can score. A MAXWEIGHT option will be in the next release, that will allow you to define the maximum weight that the test can add. If the maximum weight is reached, processing will stop (so any negative weights would need to go at the beginning of the test), and the maximum weight will be used instead of the actual weight (IE if you have MAXWEIGHT 60, and the filter is at 55 points with a line that would add 10 points, processing would stop with a weight of 60, not 65). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Request for additional filtering functionality
(IE if you have MAXWEIGHT 60, and the filter is at 55 points with a line that would add 10 points, processing would stop with a weight of 60, not 65). Sounds like any negative weighting must be frontloaded in the filter file, then? -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Request for additional filtering functionality
(IE if you have MAXWEIGHT 60, and the filter is at 55 points with a line that would add 10 points, processing would stop with a weight of 60, not 65). Sounds like any negative weighting must be frontloaded in the filter file, then? That is correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Request for additional filtering functionality
Scott, EXCELENT!!! Please note the minimum score in addition to the maximum one (I'm not sure if you got that, though it's not nearly as important). Thanks a bunch, Matt R. Scott Perry wrote: As I continue to look for new potential in filtering, I have repeatedly come across some limitations which restrict what can be done effectively, difficulty in figuring the scoring of some variable filters, and challenges from the additional processing power required to counterbalance some filters, so I just wanted to request three different things which appear like they might be somewhat reasonable extensions to the current environment. I'm putting these all together in one message because, at least from my perspective, they are all related, and I didn't want to bother you repeatedly with such requests. Those requests are as follows: Thanks for the suggestions. Giving the number of people that are now using filters in Declude JunkMail, and the size of them, it's about time for us to expand them a bit. LOG: 11/13/2003 20:43:02 Q331903a90080bcc8 Msg failed IPLINKED ([Score: 7] Message failed IPLINKED test (189)). Action=WARN. WARN: X-RBL-Warning: IPLINKED: [Score: 7] Message failed IPLINKED test (226) These two will be changed to use Message failed IPLINKED test (line 189, weight 7). TESTSFAILED: X-Weight: 16 (REVDNS [0], IPNOTINMX [0], IPLINKED [7], SPAMCOP [9]) This can be done in the next release with a new %TESTSFAILEDWITHWEIGHTS% variable. 2) Provide a method of defeating a custom filter (zero points) based on failing a specially marked test. This will be in the next release. END instead of the weight will force the test to end. 3) Provide a method of defining a maximum and/or minimum number of points that a particular custom filter can score. A MAXWEIGHT option will be in the next release, that will allow you to define the maximum weight that the test can add. If the maximum weight is reached, processing will stop (so any negative weights would need to go at the beginning of the test), and the maximum weight will be used instead of the actual weight (IE if you have MAXWEIGHT 60, and the filter is at 55 points with a line that would add 10 points, processing would stop with a weight of 60, not 65). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Updater
Hi Markus, I know it's not an active process issue, because I created a bogus folder and bogus declude.exe for DU to act upon. That leads me to also believe its also a rights issue. However, I can't figure it out. I'm logged on as Administrator, the DU folder and its contents owned by Administrator. The contents of the folder inherit Administrator ownership, and same holds true for the bogus target folder and executable. Any other ideas? Of note may be the fact that I get the update email after downloads, but regardless of the fact that the target updated. Burzin At 10:14 AM 11/13/2003, you wrote: You've set up DU to install only release versions. DU will do the following: 1.) Download the file http://www.declude.com/version.txt This file at them moment contains - Release: 1.75 http://www.declude.com/release/175/Declude.exe Beta: 1.76 http://www.declude.com/release/176/Declude.exe - 2.) Now DU will now check if there is already a downloaded release and beta file with this versions. If not it will download this files and save them in the appropriate folder. 3.) Depending on what you've selected to update (release or beta) it will look if there is a new file and if yes DU will copy this file to the indicated Imail path. In your case only look to the subfolder release if you delete the folder 175 and run the DU manualy it should download, save and copy release 175. If not I can only expect that your logon account has no right to overwrite in the imail path or that any time you've tried to overwrite this file it was looked because a process whas active. Markus --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Request for additional filtering functionality
Scott, Elaborating is my favorite pastime :) I mentioned the minimum score choice because while most of what we do is looking for ways to add points, sometimes we also want to subtract them in order to give credit, or alternatively, we sometimes don't want to subtract more than a certain number of points. So for the completeness of options, it made sense to include (though again, it's not nearly as useful as the maximum weight feature because of how filters are mostly used). This might have been useful for instance in my FOREIGN/TLD set, where the TLD-[Region] filters are scored in the Global.cfg as 3 points, and then for each hit (which should be unique in this case) one point is subtracted, like so: - Global.cfg - TLD-ASIAN filter C:\IMail\Declude\Filters\TLD-Asian.txt x 3 0 - TLD-Asian.txt - MAILFROM-1ENDSWITH.af HELO-1ENDSWITH.af REVDNS-1ENDSWITH.af I didn't want to score this too high because there are many cases where a reverse DNS entry is missing from a valid sender, but alternatively, I could have coded it to credit back more points then the score given the Global.cfg and upped the score of the Global.cfg like so: - Global.cfg - TLD-ASIAN filter C:\IMail\Declude\Filters\TLD-Asian.txt x 4 0 - TLD-Asian.txt - MAILFROM-1ENDSWITH.af HELO-2ENDSWITH.af REVDNS-2ENDSWITH.af So a credit of up to 5 points could be deducted, and currently that would give a score of -1 if all three hit, but I might not want to give back 5 points and limit the credit to 4 points with a MINWEIGHT -4 entry (figuring that the points in the Global.cfg would then be added to the score from within the filter). This would allow a sender with a MAILFROM and HELO, or a MAILFROM and REVDNS to net only one point, but I could add 3 points for just a MAILFROM which matched, which might be beneficial in this instance. This would be useful in a many-to-many matching system for both positive and negative scoring. I could see other uses such as pseudo whitelists which make use of negative weighting inside of the filter and may track various types of information, so this would protect from crediting back more points than was desired, but at the same time allow less credit than the total defined by the MINWEIGHT. As far as one-to-one negative weight matches go, these would benefit from the functionality where the filter is stopped from processing after reaching a certain value, thus saving processing time as you described. I don't see any immediate reason why you would need a MAXWEIGHT and MINWEIGHT in the same filter if that helps. I must admit that it's kind of hard to come up with perfect examples since I have been trying to work within the current framework, however I would imagine that over time, there would be even better uses for limiting the negative weights applied within a filter. Regardless of that, I would give my left nut just to have the MAXWEIGHT feature as you expanded on it along with the other things :) I'm pretty confident that this would increase my capacity by 25% with the addition of having the test stop on a MAXWEIGHT as well as an END. Thanks again, Matt R. Scott Perry wrote: Please note the minimum score in addition to the maximum one (I'm not sure if you got that, though it's not nearly as important). I did see that -- could you elaborate on that one a bit? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is this legit?
Greg, That message makes heavy use of HTML encoding for standard characters, and if you have Declude Pro, you use the OBFUSCATION filter that I wrote which will help immensely with this and many other types of crud spam which obfuscate their text and links. I don't have it on my site yet, however I shared and updated version (just one added exception) on this list on 11/10 under the subject: Re: [Declude.JunkMail] Filter Entry Not Being Triggered Matt Greg Foulks wrote: I'm wondering if I could fitter on the following content of an html message? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Request for additional filtering functionality
I mentioned the minimum score choice because while most of what we do is looking for ways to add points, sometimes we also want to subtract them in order to give credit, or alternatively, we sometimes don't want to subtract more than a certain number of points. So for the completeness of options, it made sense to include (though again, it's not nearly as useful as the maximum weight feature because of how filters are mostly used). The MINWEIGHT option will be added, too. :) Still working on Kami's request for a CASH option. I must admit that it's kind of hard to come up with perfect examples since I have been trying to work within the current framework, however I would imagine that over time, there would be even better uses for limiting the negative weights applied within a filter. That is very often the case. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Updater
Use RunAS? Craig. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Burzin Sumariwalla Sent: Friday, November 14, 2003 3:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude Updater Hi Markus, I know it's not an active process issue, because I created a bogus folder and bogus declude.exe for DU to act upon. That leads me to also believe its also a rights issue. However, I can't figure it out. I'm logged on as Administrator, the DU folder and its contents owned by Administrator. The contents of the folder inherit Administrator ownership, and same holds true for the bogus target folder and executable. Any other ideas? Of note may be the fact that I get the update email after downloads, but regardless of the fact that the target updated. Burzin At 10:14 AM 11/13/2003, you wrote: You've set up DU to install only release versions. DU will do the following: 1.) Download the file http://www.declude.com/version.txt This file at them moment contains - Release: 1.75 http://www.declude.com/release/175/Declude.exe Beta: 1.76 http://www.declude.com/release/176/Declude.exe - 2.) Now DU will now check if there is already a downloaded release and beta file with this versions. If not it will download this files and save them in the appropriate folder. 3.) Depending on what you've selected to update (release or beta) it will look if there is a new file and if yes DU will copy this file to the indicated Imail path. In your case only look to the subfolder release if you delete the folder 175 and run the DU manualy it should download, save and copy release 175. If not I can only expect that your logon account has no right to overwrite in the imail path or that any time you've tried to overwrite this file it was looked because a process whas active. Markus --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Request for additional filtering functionality
The MINWEIGHT option will be added, too. :) EXCELENT!!! Thanks again. It should be easy to modify the filters to work more effectively under the new features, and my eye strain will subside with the addition of weights in the headers and logs. BTW, another thought...because some of us parse our logs or captured E-mail, it might make it easier to separate the score out if you put it before the line of the filter that is failed since that line will be widely variable. We might want to know for instance how many times a filter assessed points instead of how many times it was hit with or without points. It follows that it would be more difficult to parse/search for weight: Message failed IPLINKED test (line 189, weight 7) Message failed IPLINKED test (line 189, weight 0) than it would be to parse/search for weight: Message failed IPLINKED test (weight 7, line 189) Message failed IPLINKED test (weight 0, line 189) or move it somewhere else all together for those that like to parse the line score as well. Maybe Bill, another power grep-er, or one of the log file analysis guys could suggest the best implementation from their perspectives. I only recommended it as the first entry so it would be easier to spot in my own config which now makes use of WARN actions and since it wouldn't change the format of the line failed portion, but I could deal with almost anything. It isn't of much value to know if something scored 0 points unless you are wondering if a filter actually processed the message, so having a readily available method to search your logs for a combination of filter and weight with a simple text search would be useful. I couldn't do that with a standard text editor if the weight followed the line. Still working on Kami's request for a CASH option. We could turn this into a me too thread :) Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Who Is This Spammer?
Hello, All, I am interested in knowing if anyone on this list knows who the spammer is that is registering and using domain names that are basically 2 words put together or 1 word appended with a easily recognizable suffix and that all of the domains are always in all CAPS. I find it so easy to recognize one of these pieces of spam when I see it yet other than the easily recognizable domains they do everything they can to make their e-mail look legit from a header standpoint. I was just curious to know which of the major spammers is generating all of this stuff as I'd like to break out the IP addresses that they are using and weight them higher than the other IP filters I use. Anybody familiar with these? Thanks, Dan P.S: I've listed a handful of the domains below .ACREDATA.COM .ALLOYMODE.COM .AMERICAMARCH.COM .APPENDMKTG.COM .ASHMARCH.COM .ATHENAGROUT.COM .ATHENAMARCH.COM .AV1954.COM .AVENUESTAPE.COM .AVOIDMARCH.COM .BARKRATAN.COM .BARNARRIVAL.COM .BASKETFASHION.COM .BASKETMARCH.COM .BATTERYFILL.COM .BLINDSCREAMER.COM .BLOCK456.COM .BUTTONMARCH.COM .CARBMARCH.COM .CARLCLICK.COM .CARRIERRAFT.COM .CEREALZICKY.COM .CHOCOLATEMARCH.COM .CLEANMARCH.COM .CN177.COM .CORPREGULAR.COM .COURT456.COM .CP003.COM .CT1991.COM .DATARATAN.COM .DIGITELBO.COM .DIRECTORYLIGHT.COM .DIRTAIR.COM .DOORMARCH.COM .ELEMENTCOTTON.COM .ELEMENTMARCH.COM .EMAILOFFERSONDEMAND.COM .FEATHERMARCH.COM .FEATHERSUSHI.COM .FIBERMARCH.COM .FIELDCARRIER.COM .FIELDMARCH.COM .FORZICKY.COM .GGTOTAL.COM .GREETINGZICKY.COM .GROUTSHUI.COM .GUILTMARCH.COM .HATCHONLINE.COM .HERATILE.COM .HISTORYLENTIL.COM .INFINDIGIT.COM .INFINRUBY.COM .INFINTOES.COM .INKICECREAM.COM .JAZZFROST.COM .JAZZMARCH.COM .JUIDEONLINE.COM .LABELTHRU.COM .LARYNXARCH.COM .NEWSCIVIC.COM .NEWSOUNCE.COM .OUNCEPLASTIC.COM .PILLZICKY.COM .PLEASANTFEST.COM .PLEASANTISH.COM .PRINTISH.COM .PRODUCTISH.COM .REGULARZICKY.COM .REVIEWFEST.COM .RICEMINT.COM .RIGHTMINT.COM .ROSEFEST.COM .SCOTCHFEATURE.COM .SKILLTEMPER.COM .SKIRTWORKS.COM .SOUTHISH.COM .SOUTHPALMER.COM .SPANDEXISH.COM .SPANDEXWORKS.COM .SPIRALLUCKY.COM .STERLINGISH.COM .STRAWISH.COM .STRAWWINDOW.COM .STRIPESFEST.COM .STRIPEJONES.COM .SUSHIRALPH.COM .SWOPEWORKS.COM .TAPE456.COM .TEENYISH.COM .TEENYPLATFORM.COM .TEENYWORKS.COM .TEMPERPILL.COM .TINMINT.COM .TIPMINT.COM .TIPFEST.COM .TOMATOMINT.COM .TOTALISH.COM .TOTALMINT.COM .TOUCANFEST.COM .TOUCANSALT.COM .TULIPFLOOR.COM .TULIPMINT.COM .TULIPPLATFORM.COM .TUNGSTENBANGLE.COM .TUNGSTENISH.COM .TWEEDFEST.COM .TWEEDISH.COM .TYPECONTAIN.COM .TYPEPLURAL.COM .VIDEOMANICURE.COM .VIDEOISH.COM .VIEW.COM .VITAMINMINT.COM .VOLCANOPLATFORM.COM .WATCHBOA.COM .WESTMINT.COM .WINDOWFEST.COM .WINDOWISH.COM .WINDOWMINT.COM .WINDOWSTRAW.COM .WORKISH.COM .WORKMINT.COM .WORSHIPMINT.COM .WRINKLEMINT.COM .WRINKLEPLANT.COM .YEEHAFEST.COM .YEEHAISH.COM --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Who Is This Spammer?
Hi, Is the reverse DNS valid, e.g., does the Reverse DNS actually point to one of these registered domains? Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Who Is This Spammer?
Yes. The FROM address, the reverse DNS and the HELO all match the same domain. They tend not to trip any tests unless the IPs have been reported to Spamcop or another IP4R provider. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 14, 2003 4:17 PM Subject: RE: [Declude.JunkMail] Who Is This Spammer? Hi, Is the reverse DNS valid, e.g., does the Reverse DNS actually point to one of these registered domains? Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Updater
The results below and in the thread were obtained by running DU manually from the Administrator account. B At 03:07 PM 11/14/2003, you wrote: Use RunAS? Craig. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Burzin Sumariwalla Sent: Friday, November 14, 2003 3:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude Updater Hi Markus, I know it's not an active process issue, because I created a bogus folder and bogus declude.exe for DU to act upon. That leads me to also believe its also a rights issue. However, I can't figure it out. I'm logged on as Administrator, the DU folder and its contents owned by Administrator. The contents of the folder inherit Administrator ownership, and same holds true for the bogus target folder and executable. Any other ideas? Of note may be the fact that I get the update email after downloads, but regardless of the fact that the target updated. Burzin At 10:14 AM 11/13/2003, you wrote: You've set up DU to install only release versions. DU will do the following: 1.) Download the file http://www.declude.com/version.txt This file at them moment contains - Release: 1.75 http://www.declude.com/release/175/Declude.exe Beta: 1.76 http://www.declude.com/release/176/Declude.exe - 2.) Now DU will now check if there is already a downloaded release and beta file with this versions. If not it will download this files and save them in the appropriate folder. 3.) Depending on what you've selected to update (release or beta) it will look if there is a new file and if yes DU will copy this file to the indicated Imail path. In your case only look to the subfolder release if you delete the folder 175 and run the DU manualy it should download, save and copy release 175. If not I can only expect that your logon account has no right to overwrite in the imail path or that any time you've tried to overwrite this file it was looked because a process whas active. Markus --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Who Is This Spammer?
Dan, Try searching SenderBase.org for the domains or class C's to verify what is being used currently and then do reverse DNS lookups on the surrounding IP space to see if a similar pattern exists with the other addresses. You might also identify the guy in the event that one block appears on SBL (linked from SenderBase.org) and add in other known blocks to your filter. Here is an example of one of his address spaces: http://www.senderbase.org/search?searchString=216.9.176.0 Hey, what do you know, SBL does have this guy marked, and he's a ROKSO spammer. Their lists might be incomplete though. I've found unfortunately that this type of spammer seems to be splitting up some of their space on only portions of netblocks, maybe to avoid detection by perma-listing RBL's like SBL. Places like SpamCop will expire their blocks, so if they jump around like the Pexicom guy, he can keep his space mostly clean and spam from them for a much longer time before he is tagged for the entire netblock. Please share your findings with the list. I for one am interested in moving spammers with static IP's at least up above my fail weight, and others can save processing by blocking them at the router or in IMail's access control list. Blocking by IP with the ipfile type of filter is also the fastest Declude method and it protects from them changing names to get past your filters. Sounds like you might have already come to that conclusion. Matt Dan Geiser wrote: Hello, All, I am interested in knowing if anyone on this list knows who the spammer is that is registering and using domain names that are basically 2 words put together or 1 word appended with a easily recognizable suffix and that all of the domains are always in all CAPS. I find it so easy to recognize one of these pieces of spam when I see it yet other than the easily recognizable domains they do everything they can to make their e-mail look legit from a header standpoint. I was just curious to know which of the major spammers is generating all of this stuff as I'd like to break out the IP addresses that they are using and weight them higher than the other IP filters I use. Anybody familiar with these? Thanks, Dan P.S: I've listed a handful of the domains below .ACREDATA.COM .ALLOYMODE.COM .AMERICAMARCH.COM .APPENDMKTG.COM .ASHMARCH.COM .ATHENAGROUT.COM .ATHENAMARCH.COM .AV1954.COM .AVENUESTAPE.COM .AVOIDMARCH.COM .BARKRATAN.COM .BARNARRIVAL.COM .BASKETFASHION.COM .BASKETMARCH.COM .BATTERYFILL.COM .BLINDSCREAMER.COM .BLOCK456.COM .BUTTONMARCH.COM .CARBMARCH.COM .CARLCLICK.COM .CARRIERRAFT.COM .CEREALZICKY.COM .CHOCOLATEMARCH.COM .CLEANMARCH.COM .CN177.COM .CORPREGULAR.COM .COURT456.COM .CP003.COM .CT1991.COM .DATARATAN.COM .DIGITELBO.COM .DIRECTORYLIGHT.COM .DIRTAIR.COM .DOORMARCH.COM .ELEMENTCOTTON.COM .ELEMENTMARCH.COM .EMAILOFFERSONDEMAND.COM .FEATHERMARCH.COM .FEATHERSUSHI.COM .FIBERMARCH.COM .FIELDCARRIER.COM .FIELDMARCH.COM .FORZICKY.COM .GGTOTAL.COM .GREETINGZICKY.COM .GROUTSHUI.COM .GUILTMARCH.COM .HATCHONLINE.COM .HERATILE.COM .HISTORYLENTIL.COM .INFINDIGIT.COM .INFINRUBY.COM .INFINTOES.COM .INKICECREAM.COM .JAZZFROST.COM .JAZZMARCH.COM .JUIDEONLINE.COM .LABELTHRU.COM .LARYNXARCH.COM .NEWSCIVIC.COM .NEWSOUNCE.COM .OUNCEPLASTIC.COM .PILLZICKY.COM .PLEASANTFEST.COM .PLEASANTISH.COM .PRINTISH.COM .PRODUCTISH.COM .REGULARZICKY.COM .REVIEWFEST.COM .RICEMINT.COM .RIGHTMINT.COM .ROSEFEST.COM .SCOTCHFEATURE.COM .SKILLTEMPER.COM .SKIRTWORKS.COM .SOUTHISH.COM .SOUTHPALMER.COM .SPANDEXISH.COM .SPANDEXWORKS.COM .SPIRALLUCKY.COM .STERLINGISH.COM .STRAWISH.COM .STRAWWINDOW.COM .STRIPESFEST.COM .STRIPEJONES.COM .SUSHIRALPH.COM .SWOPEWORKS.COM .TAPE456.COM .TEENYISH.COM .TEENYPLATFORM.COM .TEENYWORKS.COM .TEMPERPILL.COM .TINMINT.COM .TIPMINT.COM .TIPFEST.COM .TOMATOMINT.COM .TOTALISH.COM .TOTALMINT.COM .TOUCANFEST.COM .TOUCANSALT.COM .TULIPFLOOR.COM .TULIPMINT.COM .TULIPPLATFORM.COM .TUNGSTENBANGLE.COM .TUNGSTENISH.COM .TWEEDFEST.COM .TWEEDISH.COM .TYPECONTAIN.COM .TYPEPLURAL.COM .VIDEOMANICURE.COM .VIDEOISH.COM .VIEW.COM .VITAMINMINT.COM .VOLCANOPLATFORM.COM .WATCHBOA.COM .WESTMINT.COM .WINDOWFEST.COM .WINDOWISH.COM .WINDOWMINT.COM .WINDOWSTRAW.COM .WORKISH.COM .WORKMINT.COM .WORSHIPMINT.COM .WRINKLEMINT.COM .WRINKLEPLANT.COM .YEEHAFEST.COM .YEEHAISH.COM --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Who Is This Spammer?
Here is what I do. I have a script rdnsbl.cmd that builds my own RDNS BL list: dnscmd \\your.dns.server /RecordAdd yourdomain.com. *.%1.rdns.yourdomain.com. A 127.0.0.2 dnscmd \\your.dns.server /RecordAdd yourdomain.com. %1.rdns.yourdomain.com. A 127.0.0.2 Submit all the spam domain names (e.g., spamdomain.com) with one line per domain like this: call rdnsbl spamdomain.com Add the RDNSBL test to your Declude config file: RDNSBL dnsbl %REVDNS%.rdns.yourdomain.com* 8 0 Enclosed is a zone file to get you started - obviously, you need to customize to your OWN domain name where you want to host your RDNS BL. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, November 14, 2003 04:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Who Is This Spammer? Yes. The FROM address, the reverse DNS and the HELO all match the same domain. They tend not to trip any tests unless the IPs have been reported to Spamcop or another IP4R provider. yourdomain.com.dns Description: Binary data
Re: [Declude.JunkMail] Who Is This Spammer?
Hey, Matt, Thanks for the feedback and link to a new resource which I had not heard of before. I have an IPFILE with about 300 class C addresses in it. It grows a little bigger every day. It seems that some IPs blocks have basically been ceded to the spammers which is fine by me. It makes them much easier to filter out if they keep using the same IP addresses over and over. I use per-domain spam filtering. My current HOLD weights range from 5 to 10. My current DELETE weight is 40. Entries in my IPFILE are given 12 points. My plan is to break the IPs for the Capital Letter spammer out into a separate file with maybe a weight of 24 or so. Currently I not doing ANY spam filtering based on content. I'm using the default tests for DJM. I have added about 4 IP4R tests which aren't part of the default. And I have 4 main custom tests. One IPFILE, one FROMFILE, and 2 FILTER files. One FILTER file has common known spamming domains which show up in the HELO part of the conversation. The other FILTER file has common known spamming domains which show up in the REVDNS. I assign each test 12 points. Typically failure of only 2 of these will not push someone above the DELETE weight. Failure of three typically will. Believe it or not with this setup I am catching 99% of the spam that is sent to us. And I'm glad I don't have to do any CPU intenstive body searching. I found out what a ROKSO spammer is, http://www.spamhaus.org/rokso/. Cool information. How did you know this particular one was ROKSO based on the SenderBase entry? Thanks, Dan - Original Message - From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 14, 2003 4:31 PM Subject: Re: [Declude.JunkMail] Who Is This Spammer? Dan, Try searching SenderBase.org for the domains or class C's to verify what is being used currently and then do reverse DNS lookups on the surrounding IP space to see if a similar pattern exists with the other addresses. You might also identify the guy in the event that one block appears on SBL (linked from SenderBase.org) and add in other known blocks to your filter. Here is an example of one of his address spaces: http://www.senderbase.org/search?searchString=216.9.176.0 Hey, what do you know, SBL does have this guy marked, and he's a ROKSO spammer. Their lists might be incomplete though. I've found unfortunately that this type of spammer seems to be splitting up some of their space on only portions of netblocks, maybe to avoid detection by perma-listing RBL's like SBL. Places like SpamCop will expire their blocks, so if they jump around like the Pexicom guy, he can keep his space mostly clean and spam from them for a much longer time before he is tagged for the entire netblock. Please share your findings with the list. I for one am interested in moving spammers with static IP's at least up above my fail weight, and others can save processing by blocking them at the router or in IMail's access control list. Blocking by IP with the ipfile type of filter is also the fastest Declude method and it protects from them changing names to get past your filters. Sounds like you might have already come to that conclusion. Matt --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Who Is This Spammer?
Add the RDNSBL test to your Declude config file: RDNSBL dnsbl %REVDNS%.rdns.yourdomain.com* 8 0 This is very interesting. How does this work if the DNS record has the following .rdns at the tail end? Does Declude call the server and add it to the tail? And is the * is a valid DNS record entry? Reverse DNS Record - *.somename.net.rdns A 127.0.0.2 Regards, Tom Image`fx --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Who Is This Spammer?
Dan Geiser wrote: Hey, Matt, I have an IPFILE with about 300 class C addresses in it. It grows a little bigger every day. It seems that some IPs blocks have basically been ceded to the spammers which is fine by me. It makes them much easier to filter out if they keep using the same IP addresses over and over. I've seen a few of these and invariably over time there comes a need to start expiring entries that are no longer being used. It's hard to imagine that most hosts would allow a spammer to take up their IP space for that long, and new customers would end up populating it which might cause problems. I found one class C that was shared between a very well known ROKSO spammer and Excite. I'm guessing that this will start to cause them problems soon enough, but I would prefer to only block verifiable spam blocks and not the whole class C's. SenderBase helps a lot with identifying the the extent of the current addresses being used, but reverse DNS for surrounding IP's can expose more and detect potential problems when you find an unassociated domain sharing the space. This is for the most part too time consumming for me right now. A scanner of some type might make the job much easier though, and I think there are some people here that could make quick work of the tasks with a bit of programming. I use per-domain spam filtering. My current HOLD weights range from 5 to 10. My current DELETE weight is 40. Entries in my IPFILE are given 12 points. My plan is to break the IPs for the Capital Letter spammer out into a separate file with maybe a weight of 24 or so. I misstated that I only wanted to fail these guys, actually I want to push them over my DELETE weight for now so that reviewing is easier, and in the future as traffic to my server grows, I would like to block them with IMail's control list to save bandwidth and processing power. Currently I not doing ANY spam filtering based on content. I'm using the default tests for DJM. I have added about 4 IP4R tests which aren't part of the default. And I have 4 main custom tests. One IPFILE, one FROMFILE, and 2 FILTER files. One FILTER file has common known spamming domains which show up in the HELO part of the conversation. The other FILTER file has common known spamming domains which show up in the REVDNS. I assign each test 12 points. Typically failure of only 2 of these will not push someone above the DELETE weight. Failure of three typically will. The only shorcoming of that system is that is won't catch some of the crud spammers that are using virus infected machines to send mail from. I'm one of the people that believes that these guys, who are already breaking the law, will grow and grow to become even more problematic over time. Perma-blocking a hacked server or workstation is problematic. Some day I would like to look at a way to refresh my list and remove unused entries automatically. It's nice to know that such a method can be so effective in your environment. If I'm successful in selling gateway services, capacity will become much more of an issue. I found out what a ROKSO spammer is, http://www.spamhaus.org/rokso/. Cool information. How did you know this particular one was ROKSO based on the SenderBase entry? It was linked from SenderBase :) Honestly, I've just started exploring this area myself, though I think there is a lot of interest among some of us users and I'm kind of amazed that places like SBL lack listings for some very high volume spammers that are known from different IP's. A little automated traffic analysis should expose these guys in a heartbeat. Andy, sorry for burying this, but I assume that this works on Windows also with Dnscmd.exe, or is this just something that you've done with unix? Nice trick nevertheless! Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Who Is This Spammer?
Hi Tom: The zone file is for YourDomain.com. So: *.somename.net.rdns A 127.0.0.2 expands to: *.somename.net.rdns.YourDomain.com. A 127.0.0.2 and means that ANY hostname that ends with .somename.net.rdns.Yourdomain.com. will return 127.0.0.2. The Global.cfg defines: RDNSBL dnsbl %REVDNS%.rdns.yourdomain.com* 8 0 That means, take the REVDNS from a message, prepend it to RDNS.YourDomain.com and if you get any valid address (e.g., 127.0.0.2) then assign a weight of 8. So, if a an email was sent from ANY host at .somename.net it will look up somehost.somename.net.rdns.yourdomain.com - which will return a 127.0.0.2. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Who Is This Spammer?
Got it, thank you. I created a separate zone file for it called rdns.mydomain.com and removed the rdns from the tail end and it worked. Instead of this: *.somename.net.rdns A 127.0.0.2 I did this: *.somename.net A127.0.0.2 In a separate zone file to keep my master zone file clean. Thanks... Regards, Tom --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
