Re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
On 12/6/2010 4:22 PM, Scott Fisher wrote: -Pete Can I use for the AOL header: X-AOL-IP: 213.55.79.58 Yes... What you've got there essentially says this: If the first (ordinal 0) received header contains the string "aol.com [" then look for the header X-AOL-IP: and read the source IP for the message from that header. Once the engine believes that's the source IP for the message then that IP will be scored for the message. If that IP is generating spam through aol (in this case) then that IP's statistics will move toward the black range and be scored accordingly. Other IPs sending messages through that system will be scored on their own merits. _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
-Pete Can I use for the AOL header: X-AOL-IP: 213.55.79.58 -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Monday, December 06, 2010 2:31 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers On 12/6/2010 2:47 PM, Colbeck, Andrew wrote: > I have the same position as Scott. > > I find that the MessageSniffer product from ARM Research is the most reliable test > Hotmail in particular would be less effective for the bad guys if I had an antispam tool that would determine from the headers that the sender was from Hotmail (or others) and then check the > > X-Originating-IP: [111.222.333.444] > I've suggested it before but vendors are, quite reasonably, leery of building into their product a feature that is specific to a few providers while being prone to false positives. Actually, if I may, Message Sniffer has precisely that feature built into GBUdb training. Specifically, you can tell Message Sniffer to identify the source IP for the message based on the presence of a specific header. This feature was designed specifically for hotmail and other systems that provide a source IP for one reason or another -- (perhaps complex internal routing). For configuration information see: http://www.armresearch.com/support/articles/software/snfServer/config/node/g budb/training/source.jsp http://www.armresearch.com/support/articles/software/snfServer/config/node/g budb/training/source-header.jsp If you configure this training mechanism for GBUdb in your Message Sniffer engine then GBUdb will become much more accurate for messages coming through that source. Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
I made this change immediately. Like Andrew I've always wondered why the Hotmail header hasn't been targeted by someone. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Monday, December 06, 2010 2:31 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers On 12/6/2010 2:47 PM, Colbeck, Andrew wrote: > I have the same position as Scott. > > I find that the MessageSniffer product from ARM Research is the most reliable test > Hotmail in particular would be less effective for the bad guys if I had an antispam tool that would determine from the headers that the sender was from Hotmail (or others) and then check the > > X-Originating-IP: [111.222.333.444] > I've suggested it before but vendors are, quite reasonably, leery of building into their product a feature that is specific to a few providers while being prone to false positives. Actually, if I may, Message Sniffer has precisely that feature built into GBUdb training. Specifically, you can tell Message Sniffer to identify the source IP for the message based on the presence of a specific header. This feature was designed specifically for hotmail and other systems that provide a source IP for one reason or another -- (perhaps complex internal routing). For configuration information see: http://www.armresearch.com/support/articles/software/snfServer/config/node/g budb/training/source.jsp http://www.armresearch.com/support/articles/software/snfServer/config/node/g budb/training/source-header.jsp If you configure this training mechanism for GBUdb in your Message Sniffer engine then GBUdb will become much more accurate for messages coming through that source. Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
On 12/6/2010 2:47 PM, Colbeck, Andrew wrote: I have the same position as Scott. I find that the MessageSniffer product from ARM Research is the most reliable test Hotmail in particular would be less effective for the bad guys if I had an antispam tool that would determine from the headers that the sender was from Hotmail (or others) and then check the X-Originating-IP: [111.222.333.444] I've suggested it before but vendors are, quite reasonably, leery of building into their product a feature that is specific to a few providers while being prone to false positives. Actually, if I may, Message Sniffer has precisely that feature built into GBUdb training. Specifically, you can tell Message Sniffer to identify the source IP for the message based on the presence of a specific header. This feature was designed specifically for hotmail and other systems that provide a source IP for one reason or another -- (perhaps complex internal routing). For configuration information see: http://www.armresearch.com/support/articles/software/snfServer/config/node/gbudb/training/source.jsp http://www.armresearch.com/support/articles/software/snfServer/config/node/gbudb/training/source-header.jsp If you configure this training mechanism for GBUdb in your Message Sniffer engine then GBUdb will become much more accurate for messages coming through that source. Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
I have the same position as Scott. I find that the MessageSniffer product from ARM Research is the most reliable test at catching spam from freemail accounts. Second best is a URI product, but much of the spam from freemail accounts is scam text that doesn't have a URL, or the spammer obfuscates it by not describing the domain rather than specifying it e.g. he will write example.com instead of http://www.example.com/marketing (I just fabricated this example). Hotmail in particular would be less effective for the bad guys if I had an antispam tool that would determine from the headers that the sender was from Hotmail (or others) and then check the X-Originating-IP: [111.222.333.444] Header they add, which is invariably a source address I'd block because it's listed in XBL or other "DYNA" blacklists. I've suggested it before but vendors are, quite reasonably, leery of building into their product a feature that is specific to a few providers while being prone to false positives. Andrew from Vancouver -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Friday, December 03, 2010 8:38 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers My problem is the reverse, I get so much spam from hacked aol/hotmail/gmail/yahoo accounts, that its getting to the point that these services are spammers. I hope some more places blacklist them so that maybe they'll clean up their act. Like that would happen... Unfortunately a disproportionate amount of my email spam administration time is spent solely on these free providers trying to fine tune the filters to block the spam, without much collateral damage. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, December 03, 2010 8:39 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers You can also my filters GOOD-REVDNS and HAM-INDICATOR as well as ISP-HOTMAIL, ISP-YAHOO etc which are available from the Declude website. These can help reduce false positives. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Gary Steiner Sent: Friday, December 03, 2010 9:17 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers Try using the following whitelists: http://www.abuses.es/eswl/index.html.en http://www.dnswl.org/ Both are fairly reliable. Original Message > From: "Chris Patterson" > Sent: Wednesday, December 01, 2010 10:01 PM > To: "declude.junkmail@declude.com" > Subject: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers > > We have been seeing a dramatic increase of free webmail server IP's being blacklisted and causing false positives from the usual Hotmail, msn, yahoo, aol, gmail, and other free email servers listed on RBL', spamcop, spamhaus, etc. > > This has caused a tendency to for customers to want to whitelist these domains which we do have on per domain/per user settings however still must be explained and applied. > > I can provide hundreds of these blacklisted IP's in the logs however I was hoping a number of you have developed a list of reverse DNS IP or hostname entry files to subtract from sniffer and/or UR-IBL scoring that will allow the good emails through from blacklisted IPs or some ruleset that has the same effect. > > This has become a very annoying issue for us, any help/ideas would be appreciated. > > > Chris Patterson, CCNA > Special Projects and Advanced Engineering Manager > Rapid Systems > http://www.rapidsys.com > KB: http://support.rapidsys.com > > --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. We are pleased to announce that Bentall LP and Kennedy Associates Real Estate Counsel, LP j
