Re: [Declude.JunkMail] Atriks - Pt.2
Forgive me for repeating myself on this one, but I'm a proponent of blocking outright on SBL. There's a good reason for spammers to be in their list, and it's not some community project where anyone and everyone makes nominations, so it's practically flawless. Another trick for Green Horse is the following lines in a custom filter somewhere: # Green Horse Corporation (SBL12495) BODY28CONTAINS/img/c.0/ BODY28CONTAINS/img/o.0/ BODY28CONTAINS/img/v.0/ This is just in case they break out into new address space. 28 is my delete weight plus Declude's negative weight tests (because they tend to get added in after custom filters and I use SKIPIFWEIGHT functionality). Matt Fritz Squib wrote: Amazing, I knew that I saw a lot more spam coming from individual cable/dsl modems, but I had no idea... http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495 http://groups.google.com/groups?scoring=dq=atriks.com+group:*abuse* Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IP4 Tests
Just a quick follow up to this message. Today I removed DSBLMULTI after two days of testing. Seemingly they consider lots of ISP mail servers to be spam relays for inclusion in this list. I think I made the mistake in adding them before... DSBL is on the other hand very reliable IMO. Matt Matthew Bramble wrote: I fail on a weight of 10, only score the last hop, and use the following (see notes below, config updated yesterday for new weights and tests): BONDEDSENDERip4rquery.bondedsender.org 127.0.0.10-50 AHBL-RELAYSip4rdnsbl.ahbl.org127.0.0.2 40 AHBL-PROXIESip4rdnsbl.ahbl.org127.0.0.3 40 AHBL-SOURCESip4rdnsbl.ahbl.org127.0.0.4 50 AHBL-PROVISIONALip4rdnsbl.ahbl.org127.0.0.5 40 AHBL-FORMMAILip4rdnsbl.ahbl.org127.0.0.6 40 AHBL-DULip4rdnsbl.ahbl.org127.0.0.920 BLITZEDALLip4ropm.blitzed.org*70 BOGUSMXrhsblbogusmx.rfc-ignorant.org127.0.0.8 50 DSBLip4rlist.dsbl.org127.0.0.270 DSBLMULTIip4rmultihop.dsbl.org127.0.0.250 DSNrhsbldsn.rfc-ignorant.org127.0.0.2 10 FIVETEN-SPAMip4rblackholes.five-ten-sg.com 127.0.0.230 FIVETEN-BULKip4rblackholes.five-ten-sg.com 127.0.0.430 FIVETEN-MULTISTAGEip4rblackholes.five-ten-sg.com 127.0.0.540 FIVETEN-SPAMSUPPORTip4rblackholes.five-ten-sg.com 127.0.0.740 FIVETEN-MISCip4rblackholes.five-ten-sg.com 127.0.0.940 MAILPOLICE-BULKrhsblbulk.rhs.mailpolice.com 127.0.0.280 MAILPOLICE-PORNrhsblporn.rhs.mailpolice.com 127.0.0.280 NJABL-DYNABLOCKip4rdynablock.njabl.org 127.0.0.340 NJABL-RELAYSip4rdnsbl.njabl.org127.0.0.2 40 NJABL-DULip4rdnsbl.njabl.org127.0.0.3 20 NJABL-SOURCESip4rdnsbl.njabl.org127.0.0.4 70 NJABL-MULTIip4rdnsbl.njabl.org127.0.0.5 50 NJABL-FORMMAILip4rdnsbl.njabl.org 127.0.0.880 NJABL-PROXIESip4rdnsbl.njabl.org127.0.0.9 80 NOABUSErhsblabuse.rfc-ignorant.org 127.0.0.410 NOPOSTMASTERrhsblpostmaster.rfc-ignorant.org 127.0.0.310 ORDBip4rrelays.ordb.org*70 SBBLip4rsbbl.they.com127.0.0.240 SBLip4rsbl.spamhaus.org127.0.0.2280 SOLIDip4rdnsbl.solid.net127.0.0.2 50 SORBS-DULip4rdnsbl.sorbs.net127.0.0.10 30 SORBS-HTTPip4rdnsbl.sorbs.net127.0.0.2 60 SORBS-MISCip4rdnsbl.sorbs.net127.0.0.4 60 SORBS-SOCKSip4rdnsbl.sorbs.net127.0.0.3 60 SORBS-SPAMip4rdnsbl.sorbs.net127.0.0.6 40 SPAMCOPip4rbl.spamcop.net127.0.0.2 80 XBLip4rxbl.spamhaus.org127.0.0.280 I dropped ABHL-EXEMPT, a whitelist, because it tended to have ISP mail servers in it, and I definitely get a noticeable amount of spam from ISP mail servers and don't need to be giving them credit unless there is a problem. BONDEDSENDER was dropped to 1/10th of my original weight after I learned that they don't really have the best standards for listing companies, for instance, a mailing list/group site doesn't have to do confirmed memberships which has been a fairly common issue with abuse, and spam houses that lead a double life can still have certain IP's included as long as those IP's don't spam. In dropping them from 50 to 5, I haven't seen any FP's result, and I'm looking to remove them out of my configuration as the next change because I don't want to support something that is membership based in this sense (members have to pay for inclusion and post a small bond). I highly doubt they let in a measurable amount of spam, but I got very concerned when I saw Topica listed in both Spamhaus and Bonded Sender, and figured out that Spamhaus was correct because Topica leads a double life as a spam house, tpca.net for instance: http://www.senderbase.org/search?searchString=66.180.244.0%2F25 FIVETEN-SPAM, FIVETEN-BULK and SORBS-SPAM all have very common issues with false positives on ad related content and even some mail servers. I'm monitoring closely for an opportunity to drop
[Declude.JunkMail] OBFUSCATION v2.0.1 for JunkMail Pro v1.77i7+
I found that the OBFUSCATION filter can FP on UNICODE attachments (which are uncommon). The new version of this filter fixes this problem. Note that I'm only updating the version that uses functionality introduced and fully supported in JunkMail Pro v1.77i7 or higher. For users of the older versions of this filter you can fix the issue by adding the following line: BODY -8 CONTAINS begin 666 The 2.0.1 version of the filter that makes use of END, SKIPIFWEIGHT and MAXWEIGHT functionality can be downloaded from the following location: http://www.mailpure.com/software/decludefilters/obfuscation/Obfuscation_v2-0-1.zip Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Atriks - Pt.2
How aggressive is SBL compared to SPEWS? I know with SPEWS they list a lot of adjacent net blocks of the spammers... Does SBL employ the same tactics? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Tuesday, January 06, 2004 6:59 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Atriks - Pt.2 Forgive me for repeating myself on this one, but I'm a proponent of blocking outright on SBL. There's a good reason for spammers to be in their list, and it's not some community project where anyone and everyone makes nominations, so it's practically flawless. Another trick for Green Horse is the following lines in a custom filter somewhere: # Green Horse Corporation (SBL12495) BODY28CONTAINS/img/c.0/ BODY28CONTAINS/img/o.0/ BODY28CONTAINS/img/v.0/ This is just in case they break out into new address space. 28 is my delete weight plus Declude's negative weight tests (because they tend to get added in after custom filters and I use SKIPIFWEIGHT functionality). Matt Fritz Squib wrote: Amazing, I knew that I saw a lot more spam coming from individual cable/dsl modems, but I had no idea... http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495 http://groups.google.com/groups?scoring=dq=atriks.com+group:*abuse* Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Atriks - Pt.2
SPEWS and SBL are two opposite extremes. The only time that SBL will false positive is when they list a hosting company that primarily engages in providing facilities to spammers. For the most part, these hosting companies are only fronts that they use to avoid being fully listed. SBL doesn't ratchet up to larger blocks without proof of spamming from those blocks. SPEWS tactics are more so for intimidation of hosting companies when they do this. It's not that I disagree with intimidation of this type in general, but I wouldn't make use of it on my own server since my main job is to deliver good E-mail and not spammer intimidation. If a block of IP's gets onto SBL, the value of those IP's as a mail source is greatly diminished, and any legitimate company would take action to fix any problems that were impacting other customers. SBL will list only static sources and will go all the way down to a single IP on occasions. SBL should tag about 20% to 25% of your mail volume (if you have an average mix of traffic), and their FP rate should be 0.01% if not better (people do make mistakes). Note my rant about Topica which is listed in SBL. Topica would be blocked if you did this, but Topica also operates a spam network and uses hundreds and hundreds of domain names. I wouldn't be surprised to see them getting demographic information as well as valid addresses from the Topica site. This is kind of like protecting your users from something they aren't aware could happen. Topica is also a frequent source of spam from their lists because they don't confirm memberships, so spammers can just opt you in. It took me a while to figure out that SBL was correct on this one...but they are no doubt. Maybe someone else can chime in with their opinion on SBL. I'd be curious to see if anyone has ever seen a clear false positive from them. Matt Darrell LaRock wrote: How aggressive is SBL compared to SPEWS? I know with SPEWS they list a lot of adjacent net blocks of the spammers... Does SBL employ the same tactics? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Tuesday, January 06, 2004 6:59 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Atriks - Pt.2 Forgive me for repeating myself on this one, but I'm a proponent of blocking outright on SBL. There's a good reason for spammers to be in their list, and it's not some community project where anyone and everyone makes nominations, so it's practically flawless. Another trick for Green Horse is the following lines in a custom filter somewhere: # Green Horse Corporation (SBL12495) BODY28CONTAINS/img/c.0/ BODY28CONTAINS/img/o.0/ BODY28CONTAINS/img/v.0/ This is just in case they break out into new address space. 28 is my delete weight plus Declude's negative weight tests (because they tend to get added in after custom filters and I use SKIPIFWEIGHT functionality). Matt Fritz Squib wrote: Amazing, I knew that I saw a lot more spam coming from individual cable/dsl modems, but I had no idea... http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495 http://groups.google.com/groups?scoring=dq=atriks.com+group:*abuse* Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Checking blacklists entire CIDR blocks
Does anyone know of an easy way to check an entire netblock for listings? We are suppsed to be getting some additional IP's but I want to make sure they are clean first. Thanks, Chuck Frolick ArgoLink.net --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Do legitimate mailers use iso 8859 character sets?
I have been blocking email that is using the iso-8859 character sets and it has been effective in reducing Spam. Today I came across MSNBC sending out a notification using iso-8859. Is anyone aware of others doing this? Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Checking blacklists entire CIDR blocks
Chuck, I would use the Spam Database Lookup here, http://www.dnsstuff.com/, and SenderBase, http://www.senderbase.org/. Dan [EMAIL PROTECTED] - Original Message - From: Charles Frolick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 12:26 PM Subject: [Declude.JunkMail] Checking blacklists entire CIDR blocks Does anyone know of an easy way to check an entire netblock for listings? We are suppsed to be getting some additional IP's but I want to make sure they are clean first. Thanks, Chuck Frolick ArgoLink.net --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Two small bugs
Scott, Virus Bug == The first bug is more straightforward, however it is related to Declude Virus, so please forgive me for not joining that group. In an E-mail that was forwarded from monstor.com, it tripped on a banned extension of .com because a cookie reference was attached by Outlook Express as follows: --=_NextPart_000_0001_01C3D1D2.DEDBF400 Content-Type: application/octet-stream; name=nojavascriptdcssip=jobsearch.monster.com Content-Transfer-Encoding: base64 Content-Location: http://cookie.monster.com/DCS03_6D4Q/njs.gif?dcsuri=/nojavascriptdcssip=jobsearch.monster.com R0lGODlhAQABAIAAAP8A/wAAACH5BAEALAABAAEAAAICRAEAOw== --=_NextPart_000_0001_01C3D1D2.DEDBF400-- I'm not sure if there is anything that can be done about this easily, but it was legitimate, and the attachment wasn't an executable, just a cookie. This is the first time that I have ever seen such a thing, so I'm sure it's rare, and maybe a bug with Outlook where it gets confused and attaches cookies coded this way thinking they are COM files??? JunkMail Bug == The small bug with JunkMail is as follows. I've seen the following several times across a number of days with at least v1.77i7 and v1.77i10. I'm using the warn action and it always shows up with the same recipient (%ALLRECIPS%) repeated at least three or four times. The first example is unique, and the last three examples are from a dictionary attack coming from one spammer sent to addresses that never existed on the same domain. The X-MailPure: RECIPIENTS line is related to a weightrange test so that it only displays the recipients when it fails. The IPNOTINMX test generally shows up first, but appears below that line when this happens along with the associated errors. Another thing related is the fact that I have a colon in the WARN action for RECIPIENTS listed with a colon, but it always appears with a space then dash in every message. Here's how that is defined: - Global.cfg - HIGH-RECIPSweightrangexx1024 - $Default$.junkmail - HIGH-RECIPSWARN X-MailPure: RECIPIENTS: %ALLRECIPS% This is not a big deal to me, but I thought that I would let you know about it. Four examples follow: Received: from mail.com [216.234.126.149] by domain.tld (SMTPD32-7.15) id A570704020A; Tue, 06 Jan 2004 10:34:08 -0500 Reply-To: [EMAIL PROTECTED] From: BPD [EMAIL PROTECTED] Subject: [23] Sales Leads --$1,525 Savings Date: Tue, 6 Jan 2004 10:34:23 -0500 MIME-Version: 1.0 Content-Type: text/html; charset=Windows-1251 Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. Message-Id: [EMAIL PROTECTED] X-MailPure: == X-MailPure: NJABL-DYNABLOCK: Failed, listed in dynablock.njabl.org (weight 4). X-MailPure: NOABUSE: Failed, listed in abuse.rfc-ignorant.org (weight 1). X-MailPure: SORBS-DUL: Failed, listed in dnsbl.sorbs.net (weight 3). X-MailPure: SPAMCOP: Failed, listed in bl.spamcop.net (weight 8). X-MailPure: IPNOTINMX: Failed, IP is not listed in MX or A records (weight 0). X-MailPure: NOLEGITCONTENT: Failed, no legitimate content detected (weight 0). X-MailPure: CONCEALED: Failed, concealed message (weight 1). X-MailPure: BADHEADERS: Failed, non-RFC compliant headers [840a] (weight 4). X-MailPure: WORDFILTER-SUBJECT: Message failed WORDFILTER-SUBJECT test (line 63, weight 2). X-MailPure: RECIPIENTS - [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] X-MailPure: IPNOTINMX: Failed, IP is noX-MailPure: IPNOTINMX: Failed, no legitimate content detected (weight 0). X-MailPure: [Unknown Var]TESTNAME X-MailPure: IPNOTINMX: Failed, IP is noX-MailPure: [Unknown Var]TESTNAME X-MailPure: [Unknown Var] sign in the SMTP From address (weight 2). X-MailPure: == X-MailPure: Spam Score: 23 X-MailPure: Scan Time: 10:34:15 on 01/06/2004 X-MailPure: Spool File: Dd5700704020a2dd9.SMD X-MailPure: Server Name: mail.com X-MailPure: SMTP Sender: [EMAIL PROTECTED] X-MailPure: Received From: 3639246484.mi.dial.hexcom.net [216.234.126.149] X-MailPure: == X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: == X-Declude-Date: 01/06/2004 15:34:23 [0] X-RCPT-TO: [EMAIL PROTECTED] Status: R X-UIDL: 372975289 From [EMAIL PROTECTED] Tue Jan 06 09:35:58 2004 Received: from ecardica.net [66.246.175.2] by domain.tld (SMTPD32-7.15) id A7C4324022A; Tue, 06 Jan 2004
Re: [Declude.JunkMail] Two small bugs
Virus Bug == The first bug is more straightforward, however it is related to Declude Virus, so please forgive me for not joining that group. In an E-mail that was forwarded from monstor.com, it tripped on a banned extension of .com because a cookie reference was attached by Outlook Express as follows: Actually, this isn't a bug: --=_NextPart_000_0001_01C3D1D2.DEDBF400 Content-Type: application/octet-stream; name=nojavascriptdcssip=jobsearch.monster.com Content-Transfer-Encoding: base64 Content-Location: http://cookie.monster.com/DCS03_6D4Q/njs.gif?dcsuri=/nojavascriptdcssip=jobsearch.monster.com The cookie isn't the problem; the name of the file is nojavascriptdcssip=jobsearch.monster.com. That's a .com file. I'm not sure if there is anything that can be done about this easily, but it was legitimate, and the attachment wasn't an executable, just a cookie. The attachment was a .com file. It may have been a cookie with a funny name, but still a .com file. :) JunkMail Bug == The small bug with JunkMail is as follows. I've seen the following several times across a number of days with at least v1.77i7 and v1.77i10. I'm using the warn action and it always shows up with the same recipient (%ALLRECIPS%) repeated at least three or four times. The first example is unique, and the last three examples are from a dictionary attack coming from one spammer sent to addresses that never existed on the same domain. There was an issue with one of the v1.77 interim releases that was fixed in 1.77i12 that may have caused this. A change was made in the way that Declude JunkMail retrieves the list of recipients. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Something for Exchange mailbox servers behind IMail/Declude
All, I came across a pre-built filter for Exchange that seems useful for submailbox redirection (akin to Declude's MAILBOX action) when forwarding mail to an Exchange back end. As far as I'm aware, Exchange does not have built-in username-subarea type addressing, and if it does, it's likely nothing like IMail's. With this app, the relocation is done at the server level based on header info, giving the same functionality we have with IMail back ends. Of course, I haven't tried it yet, and I know you can write this stuff in VBS if you want. But for $100 bucks...:) http://www.ivasoft.biz/spammover.html (No affiliation.) --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New CMDSPACE test in latest interim release
We've just added a new test to the latest interim release, called CMDSPACE. This one looks for spaces in SMTP commands where there shouldn't be any. It is catching about 75% of the spam to the spamtraps here, and since we started using it, only 1 of the approximately 500 legitimate E-mails that came in was caught. It looks like this could be a good test until spammers change their spamware. To use it, you need the latest interim release (from http://www.delude.com/interim ), and need to use the following line in your \IMail\Declude\global.cfg file to define the test: CMDSPACEcmdspacex x 8 0 (where 8 is the weight you want to assign to the test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New CMDSPACE test in latest interim release
Woops on the Delude thing - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 6:53 PM Subject: [Declude.JunkMail] New CMDSPACE test in latest interim release We've just added a new test to the latest interim release, called CMDSPACE. This one looks for spaces in SMTP commands where there shouldn't be any. It is catching about 75% of the spam to the spamtraps here, and since we started using it, only 1 of the approximately 500 legitimate E-mails that came in was caught. It looks like this could be a good test until spammers change their spamware. To use it, you need the latest interim release (from http://www.delude.com/interim ), and need to use the following line in your \IMail\Declude\global.cfg file to define the test: CMDSPACEcmdspacex x 8 0 (where 8 is the weight you want to assign to the test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New CMDSPACE test in latest interim release
Woops on the Delude thing Sorry, it should be: http://www.declude.com/interim -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New CMDSPACE test in latest interim release
It has been a while since I upgrade my versionare there any special step to upgrading or can I simply replace the .exe file and restart Imail SMTP and POP services? thanks in advance gb At 07:42 PM 1/6/2004 -0500, you wrote: Woops on the Delude thing Sorry, it should be: http://www.declude.com/interim -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New CMDSPACE test in latest interim release
Can't imagine why you'd need to restart .. it hooks the EXE each time it spawns an smtp thread, so the next message after the EXE is in place, should use the new exe. Jonathan At 07:20 PM 1/6/2004, you wrote: It has been a while since I upgrade my versionare there any special step to upgrading or can I simply replace the .exe file and restart Imail SMTP and POP services? thanks in advance gb At 07:42 PM 1/6/2004 -0500, you wrote: Woops on the Delude thing Sorry, it should be: http://www.declude.com/interim -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New CMDSPACE test in latest interim release
Also, remember if you are using the bounce action for anything it has been renamed to bounceifyoumust. Darrell Jonathan writes: Can't imagine why you'd need to restart .. it hooks the EXE each time it spawns an smtp thread, so the next message after the EXE is in place, should use the new exe. Jonathan At 07:20 PM 1/6/2004, you wrote: It has been a while since I upgrade my versionare there any special step to upgrading or can I simply replace the .exe file and restart Imail SMTP and POP services? thanks in advance gb At 07:42 PM 1/6/2004 -0500, you wrote: Woops on the Delude thing Sorry, it should be: http://www.declude.com/interim -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New CMDSPACE test in latest interim release
Also, remember if you are using the bounce action for anything it has been renamed to bounceifyoumust. This is probably a good time to let people know that on several occasions the bounce messages that our customers have sent out have been reported as spam (with the assumption that they were the spammers, and therefore they were not notified directly). The BOUNCE action should, as the new name implies, only be used if you must. It should only be used as a last resort, and only in a responsible way. For example, WEIGHT20 BOUNCE is irresponsible. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bounced mail
Scott, You know what I would like to see is a means of sending back a message on confirmed Spam that carries the 550 User Unknown designation and a from address appearing to be [EMAIL PROTECTED] (whatever it was) to make it appear believable. I realize that a goodly number of these would bounce because the sender had a bogus address and/or domain and possibly you could only do this when the Reverse DNS lookup actually worked, but since the bounce will come back through declude you could plant a header that you could detect and simply cause the message to be discarded when it comes back (the bounce confirming it was spam). This would possibly make some of the spammers remove the apparent bad addresses - if any actually do that. Another thought. Would it be possible, if not too much overhead, to do an SMTP HELO connect to the alleged sending server and verify the sending email address actually exists in the domain (after confirming the domain exists of course)? I have a utility I tried out to monitor our server that appears to do just this to partially verify the e-mail server is running. I think I would do this only after all the rest of the tests have run and the message is still good to go but suspicious. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bounced mail
You know what I would like to see is a means of sending back a message on confirmed Spam that carries the 550 User Unknown designation and a from address appearing to be [EMAIL PROTECTED] (whatever it was) to make it appear believable. I realize that a goodly number of these would bounce because the sender had a bogus address and/or domain and possibly you could only do this when the Reverse DNS lookup actually worked, but since the bounce will come back through declude you could plant a header that you could detect and simply cause the message to be discarded when it comes back (the bounce confirming it was spam). This would possibly make some of the spammers remove the apparent bad addresses - if any actually do that. Although this sounds like a good plan (and some people have done it before), it just doesn't work. Spammers don't care about bounce messages, and they don't treat unsubscribe requests as proof that an E-mail address works (we've sent a number of E-mail addresses to spammers' unsubscribe links, and never seen a single spam as a result). And, about 99% of the time, the spammer will never even get the bounce message. It is very rare for a spammer to use a valid return address. Another thought. Would it be possible, if not too much overhead, to do an SMTP HELO connect to the alleged sending server and verify the sending email address actually exists in the domain (after confirming the domain exists of course)? It would be possible, but there are a number of drawbacks (if you check the archives of this list, there was some information posted in the past few days about this). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.