[Declude.JunkMail] IIS Worm
Title: IIS Worm Weve spent the morning battling a worm. Heres the news: Its designed to exploit a vulnerability in Microsoft IIS (we use it for delivery) that is so new it doesnt yet have a name. Its not yet in wide circulation, we just push so much mail weve seen it already. MS doesnt yet know how it works, they have a patch that fixes at least the symptoms but has not yet published it as an official update. Symptoms are the boxes que and caches filling up with one session of inetinfo.exe running overtime (lots of CPU and RAM). Dan
RE: [Declude.JunkMail] Feature request: COMBO tests
I for one am quite happy with the workaround for TESTSFAILED/END. I can't speak to which versions should support it, but with Matt's guidance and the permutation builder I posted here yesterday: http://www.subterrane.com/permgen.shtml I've found remarkable precision and dexterity. Just be sure to uncheck Fill empty strings Dan From: Markus Gufler [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 19 May 2004 23:39:58 +0200 To: [EMAIL PROTECTED] Subject: SPAM: RE: [Declude.JunkMail] Feature request: COMBO tests Gotcha. Did not know of the standard ver limits Beside the limitation for pro users (who knows if future COMBO test - if they become true - will be available in the standard version?) I consider the TESTSFAILED/END solution a little bit inflexible and inefficient and so as Matt (who has discovered this possibility) said it's nothing else then a workaround Real AND/OR/NOT functionality for a new group of COMBO tests that are processed after all other tests should allow us to assign extra points for certain suspicious combinations of tests. Ass explained several times this would allow to set up a great set of filter files for bogus virus warnings comming from other dumb av filters. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] countmein.com
The Institute of Biotechnology, University of Helsinki Finland just sent my abuse line a report suggesting a new client of mine is a spammer. I'm not in the business of protecting these guys from each other. Has anyone heard of countmein.com as a spammer? Here's the report if you're curious: $ host www.countmein.com www.countmein.com CNAME countmein.com countmein.com A 66.150.173.180 Blue Gecko, Inc. PNAP-SEF-BLUGKO-RM-01 (NET-66-150-173-176-1) 66.150.173.176 - 66.150.173.191 There never was a reply from Blue Gecko to spam complaints related to Count Me In Corporation, so REJECT all -- 66.150.173.176/280.0.0.0/0 n/a $ host www.countmeincorp.com www.countmeincorp.com A 212.118.243.114 Only a week ago (May 4) it was on [64.74.96.249]. Could it really be that eNom got fed up with you? On the other hand, Internap seems quite happy to wiggle you around. inetnum: 212.118.224.0 - 212.118.255.255 org: ORG-INSU1-RIPE netname: UK-INTERNAP-2530 descr:PROVIDER country: GB I won't even discuss Internap. You just cost the following to all their other customers in the same network: REJECT all -- 212.118.224.0/19 0.0.0.0/0 n/a $ host -t mx countmein.com countmein.com MX 20 mx2.spamsoap.com countmein.com MX 30 mx3.spamsoap.com countmein.com MX 10 mx1.spamsoap.com _That_, my dear audience, is the definition of ludicrous. There it is. The professional spammer Count Me In Corporation has outsourced its incoming mail handling to a spam filtering business. $ host -t mx countmeincorp.com countmeincorp.com MX 10 mx.countmeincorp.com $ host mx.countmeincorp.com mx.countmeincorp.comA 63.229.26.240 $ host cmiservices.biz cmiservices.biz A 12.129.237.252 ATT WorldNet Services ATT (NET-12-0-0-0-1) 12.0.0.0 - 12.255.255.255 CERFnet ATTENS-LAX1-1 (NET-12-129-192-0-1) 12.129.192.0 - 12.129.255.255 iPowerWeb ATTENS-008161-002508 (NET-12-129-237-0-1) 12.129.237.0 - 12.129.237.255 REJECT all -- 12.129.237.0/24 0.0.0.0/0 n/a $ host countmein.wc09.net countmein.wc09.net A 63.214.0.227 OrgName:Level 3 Communications, Inc. OrgID: LVLT Address:1025 Eldorado Blvd. City: Broomfield StateProv: CO PostalCode: 80021 Country:US NetRange: 63.208.0.0 - 63.215.255.255 CIDR: 63.208.0.0/13 REJECT all -- 63.208.0.0/130.0.0.0/0 n/a --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: SPAM: Re: [Declude.JunkMail] countmein.com
Sounds good guys, I'll take it up with them directly. Thanks, Dan From: Darrell [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 12 May 2004 08:43:22 -0400 To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: SPAM: Re: [Declude.JunkMail] countmein.com There is several reports on NANAE (some very recent most from 2003) - http://groups.google.com/groups?hl=enlr=q=countmein.commeta=group%3Dnews.ad min.net-abuse.sightings Here is a link to more info specifically (by the same folks that email you) http://groups.google.com/groups?q=countmein.com+group:news.admin.net-abuse.sig htingshl=enlr=group=news.admin.net-abuse.sightingsscoring=dselm=200405050 545.i455j4ko011765%40send.it.helsinki.firnum=1 Darrell - Check out http://www.invariantsystems.com for utilities for Declude and Imail. Quoting Dan Patnode [EMAIL PROTECTED]: The Institute of Biotechnology, University of Helsinki Finland just sent my abuse line a report suggesting a new client of mine is a spammer. I'm not in the business of protecting these guys from each other. Has anyone heard of countmein.com as a spammer? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Products Training
Samantha, You have 4 basic options: 1) Invest occasional time and run with the basic configuration. 2) Invest daily time, collaborating with the excellent help on this list, including Scott. 3) Outsource all or part of your configuration with a company like Mail Pure. 4) Outsource your entire filtering needs to a company like mine. Many include discounts to schools an non profits. A certain county in Virginia is quite happy with this route. Dan From: Bridges, Samantha [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 3 May 2004 16:01:27 -0400 To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude Products Training Are you one of the us? Please contact me off-list for more information. I really wish that Declude would offer some kind of training or conference. Even though Declude is a easy to understand app, it would be helpful to know if I am setting up and properly maintaining my declude products. Not everything to learn and know can be accomplished from a forum alone. These are very complex times with viruses and spam and such... A bit more support would be great. I know I am not the only one who does more than just email. Network security, application training, user support, 43 server to maintain (web servers, exchange servers, altiris servers, routers, switches, . And the list goes on. The point is, I don't always have time to read all the forum information. Scott does a wonderful job with his support online, but call me old schoolI Like To TALK To Humans When Need Be...I'll even pay for it too! [EMAIL PROTECTED] Thanks -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 3:09 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude Products Training I do not think so, at least not yet. However, there are some of us on this list that can offer to help get things going and such. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Bridges, Samantha Sent: Monday, May 03, 2004 11:53 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude Products Training Hi Scott - Does Declude offer some kind of training for their products? With things in the virus/spam world getting out of control, it would be great to get into some kind of training to be sure I am doing all that I can. Samantha Bridges Communications Technician Macomb Intermediate School District 44001 Garfield Road Clinton Township MI 48038-1100 (586) 228-3300 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Anything special for Imail 8.1?
To confirm, you're talking about Declude 1.79? From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 04 May 2004 09:35:35 -0400 To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Anything special for Imail 8.1? There are no known issues with IMail v8.11 and Declude. So can I continue to use the latest non-beta or do I need to beta? How stable is the beta? It would probably be better to run the Declude beta. It is very stable, and will help ensure that nothing weird happens when using IMail v8.11 with the multiple scanning. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Crazy Characters
Has anyone noticed these yet: Subject: Lower your monthly payment today ! Between the words are space like characters that aren't spaces. I can only view them using symbol or dingbat fonts and my email client can't even search for them in a folder of messages. I'm inclined to make a filter for them, but I don't know how Declude will react. Scott, please advise, Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Crazy Characters
Nice. From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 29 Mar 2004 20:10:52 -0500 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Crazy Characters Between the words are space like characters that aren't spaces. I can only view them using symbol or dingbat fonts and my email client can't even search for them in a folder of messages. I'm inclined to make a filter for them, but I don't know how Declude will react. Those are high bit (8-bit) characters. Versions of Declude JunkMail v1.70 and later will properly process those characters in filters (previous versions would not be able to handle them properly in filters). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Zombies 101
http://australianit.news.com.au/articles/0,7204,8901975%5e15388%5e%5enbv%5e, 00.html Spam zombies on the rise Anick Jesdanun MARCH 08, 2004 NEXT time you're looking for a culprit for all that junk mail flooding your inbox, have a glance in the mirror. Spammers are increasingly exploiting home computers with high-speed internet connections into which they've cleverly burrowed. Email security companies estimate that between one-third and two-thirds of unwanted messages are relayed unwittingly by PC owners who set up software incorrectly or fail to secure their machines. David Lawrence, 43, owns such a computer, which turned into a spam zombie when a virus infected it in October. Five or six spammers were using his cable modem to remotely send pitches for products like Viagra and boosters for mobile phone signals. Spammers and the people who write these viruses ... is their life so void that they feel they have to mess up other people? said Lawrence. To me, it's criminal. The self-employed American businessman from Georgia said he learned of his computer's culpability when his internet service got suspended. I called to find out what was going on because I knew I had the bill paid, he said. Lawrence is by no means alone. Hundreds of thousands of computers worldwide have been infected by SoBig and other viruses that are programmed to spawn gateways, known technically as proxies, to relay spam. Though Lawrence had antivirus software, he hadn't kept it updated. It's ironic to the president of the security website myNetWatchman.com, Lawrence Baldwin, that those afflicted by spam are also often its couriers. That's further encouragement, justification for taking responsibility for your own system, said Baldwin. If you don't, you can be part of the very problem you're complaining about. Any internet-connected computer could be running a proxy spam relay, but most of the malicious programs are written specifically for PCs that run Windows. In the past, some spammers had sought out and exploited internet-connected computers with misconfigured networking software. The latest and growing threat is code purposely written to create spam relay proxies as it is spread by malicious viruses. It's just going to get worse, said Ken Schneider, chief technology officer at spam-filtering company Brightmail. Traditionally, virus writers were driven more by reputation and trying to impress each other. Now there's an economic motive. In February, a proxy program called Mitglieder began installing itself on computers infected by January's Mydoom outbreak, said Mikko Hypponen, manager of antivirus research at F-Secure Corp in Finland. He said such programs can also sneak in if computer owners fail to install patches to fix known Windows flaws. The shift in spamming methods even prompted the US Federal Trade Commission to issue a consumer alert in January. The advisory encouraged consumers to use antivirus and firewall programs and to check sent mail folders for suspicious messages. Others say home Windows users should also keep their operating systems up to date by visiting windowsupdate.microsoft.com. If your computer has been taken over by a spammer, you could face serious problems, the FTC advisory wrote. Your Internet Service Provider (ISP) may prevent you from sending any email at all until the virus is treated, and treatment could be a complicated, time-consuming process. In the early days, spammers sent out junk messages directly from their machines. ISPs easily found them and closed their accounts. Spammers then looked for so-called open relays. These are typically mail servers at ISPs, often in Asia or South America, carelessly configured so that anyone on the internet can send mail through them without needing a password. The relays make messages appear to have come from an ISP, not the spammer. But ISPs and anti-spam activists soon identified many of the open-relay machines and either pressured their owners to stop or blocked messages from them. Stymied by a more concerted effort by ISPs to lock down their internet mail servers, the spammers turned to the less vigorously protected home machines. They are abundant and simple to find. Spammers can cover their tracks and become virtually untraceable. It pains me to say it, but it's very clever of the spammer to have thought of this, getting legitimate PCs to send spam on their behalf, said Andrew Lochart, director of product marketing at email security company Postini Inc. Steve Atkins, chief technology officer at the anti-spam consultancy Word to the Wise LLC, said some ISPs continue to be plagued by open-relay techniques, but spammers generally don't bother with them anymore because it's so much easier to have success with home machines. Where much of the spam previously flowed through China, South Korea, Brazil and other countries whose ISPs left many relays open, it's now being hastened by a North American
Re: [Declude.JunkMail] Junkmail enhancement ideas
#4's a tricky one I've been watching for some time. Turns out its a generic server failure such that were a filter in place to look for it and you had a real server failure, every message would trip the filter. What's needed is a way to prevent the errors, which seems to be easier said than done. Anyone have a solution for this? Dan From: Scott Fisher [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 15 Mar 2004 16:57:08 -0600 To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Junkmail enhancement ideas I know the virus portion of Declude has been occupying much of your time, but I'd like to offer up some enhancement ideas for Junkmail. 1. I know this has been mentioned before: the ability to have a space in the filter. I'd like to filter (space)cialis. Rather than +10 cialis -10 specialist 2. I'd like to see a third column added to the spamdomains test. Same function as the 2nd column, it would just give more flexibility. 3. How about an ISNOT test for the filters? 4. In regards to forged, non-existent domains or domains with no MX record, I see that an error message is put in the log: WARNING: DNS server x.x.x.x returned a SERVER FAILURE error for MX or A for 775rgt.com. Examining some of these, I see that these are SPAM from forged non-existent domains. I wonder if this could be the basis for a new test? Scott Fisher Director of IT Farm Progress Companies --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Comcast Update
Seems they're actually aware of the problem: http://maccentral.macworld.com/news/2004/03/10/comcast/index.php?redirect=10 78943859000 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Internal Mail
Darryl, You can run Declude on its own server in front of clients' email servers, as a gateway. Only external email then gets scanned for spam. Dan On Thursday, September 18, 2003 8:01, Darryl Koster [EMAIL PROTECTED] wrote: The hosting business I run deals mainly with business and I have no dial up or dsl customers that use my services. Saying this it means we get a lot of internal mail going between clients. Is there a way to ensure that e-mails sent from an address (say statustechnologies to statustechnologies) will be allowed through? I know that there is the whitelist from, its hard to list over 1000 clients on there with only 200 whitelist options available. Having something like this would definitely cut down on the amount of held mail we get on a daily basis. Thanks Darryl Koster ~~ Status Technologies Inc. President/Owner Let Us Help You Get The Status You Deserve! http://www.statustechnologies.com P: (905) 435-0145 TF (NA) 888-909-9004 F: (905) 435-0873 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Some good info on the Verislime coup
Interesting points, There's a name for industries where more than one supplier isn't practical: natural monopoly. I can't recall a single example where a natural monopoly improved after privatization. In economics terms, systems for maximizing profit (capitalism) don't work with systems where multiple suppliers are possible/practical. Imagine multiple water pipes coming into your home, one for each company. Were so used to words like capitalism and democracy, we don't realize our systems are actually hybrids, operating in balance. Dan On Thursday, September 18, 2003 10:29, Todd Holt [EMAIL PROTECTED] wrote: Just another example of what happens when basic infrastructure is privatized! I'm not a bleeding heart liberal proponent of government controlling everything, but I do believe that certain infrastructure components need to be controlled by a disinterested third party (or less interested) that can be controlled by the will of the people to some degree (by voting). This problem is similar to the deregulation of electricity. Now many parts of the country pay more for electricity than before. And what happens if some bonehead company takes over a huge section of the grid, then goes bankrupt? We now have absolutely no control over the internet! Be careful of what you wish for, because you just may get it! Another interesting note from the article, how about this hypothetical situation: One of my users sends a message to his mother telling her that he just found out that he tested positive for AIDS. Not wanting his employer to know because of fears of discrimination. And expecting that only his mother will read the message. In that message, he accidentally misspells the domain name in his mothers address. This message now gets sent to Verislime's SMTP relay server, the content saved and the message discarded. Next, the content is sold to a researcher who contacts the original users employer asking for medical history on the person with AIDS. Now the employer knows, the discrimination occurs. Does that user have a right to sue me as the email provider for not insuring his privacy? Tell me the lawyers won't have a field day with that. Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Thursday, September 18, 2003 9:33 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Some good info on the Verislime coup http://homepages.tesco.net./~J.deBoynePollard/FGA/verisign-internet- coup.html Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Disposable Domains
Spammers put links in the body of messages and more recently are creating them by the pound, changing to new ones multiple times/days. Is it possible to have a test that checks the age of domain names in the body? This information is available from a number of places: http://www-whois.internic.net/cgi/whois?whois_nic=uzbeki98.biztype=domain But is it possible to make an automated test that can collect and use it? Simplest would be just specifying the location and age, in days, fewer than which it would trip, under one month in this example: DomainAge domainage body30 1 0 Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
Looking at my spamples I don't see any prefix letter: Subject: =?iso-8859-1?b?QnVzeSBhdCB3b3Jr?=? Subject: =?iso-8859-1?B?RGlzY3JlZXQgT24gTGluZSBQaGFybWFjeSwgVmlhZ3Jh?= Subject: =?ISO-8859-1?b?RndkOiBUaA==?=e 24th o=?ISO-8859-1?b?ZiB0aGk=?=s month Subject: =?iso-8859-1?b?SG93IGRvZXMgU2lsZGVuYWZpbCBDaXRyYXRlICB3b3JrPw==?= Subject: =?iso-8859-1?B?U2F2ZSBtb25leSE=?= Subject: =?iso-8859-1?B?U2FtcGxlIFZpYWdyYQ==?= Subject: =?ISO-8859-1?B?UmU6Rm9yIHRoZSBtZW4uIFZpYWdyYS4=?= Subject: =?iso-8859-1?B?UmU6VmlhZ3JhOk5vIENvbnN1bHRhdGlvbiBGZWU=?= Subject: =?iso-8859-1?B?UmU6WW91ciBGcmVlIFNhbXBsZSBPZiBWaWFncmE=?= Subject: =?iso-8859-1?b?UmVtZW1iZQ==?=r that girl=?iso-8859-1?b?Pw==?= Who are these guys putting the code in the middle? Course, I'm only looking at uncaught spam, perhaps these guys are getting nailed by other tests. Dan On Thursday, September 11, 2003 13:16, Colbeck, Andrew [EMAIL PROTECTED] wrote: SUBJECT 40 CONTAINS =?ISO-8859-1?b? I'm seeing quite a few of these coming in, but they are getting held. I'm including a sample from my log, which is set to HIGH so that others can see what tests have been useful for me. An interesting point that came out of my following this thread is that I found that when the ISO string appears anywhere in the subject EXCEPT for the beginning, it's a SURE indicator that the message is spam. A really long (and imperfect) way to test for that is to add: SUBJECT 999 CONTAINS a=?ISO-8859-1?b? SUBJECT 999 CONTAINS b=?ISO-8859-1?b? SUBJECT 999 CONTAINS c=?ISO-8859-1?b? 999 CONTAINS 3=?ISO-8859-1?b? Anyone have a more concise way to test for that? Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: SPAM: Re: [Declude.JunkMail] Strange Subject
Not bad. Makes me wonder if the future test grouping feature would be even stronger with exclusive as well as inclusive grouping. Must have (1) and (2) but not (3). That would rock! :) Dan On Thursday, September 11, 2003 15:05, Matthew Bramble [EMAIL PROTECTED] wrote: Dan, There's a decent way around that. You can set the test in the Config file for a solid weight, not score each filter test incrementally, and then provide a list of negative tests that would offset the test. So if there is some sort of ISO tagging of this Japanese stuff, you can find that code and defeat the test from running. Same goes for other languages. I just got my first false positive out of 200 catches. This was from Korea but written in English (still encoded though). There are two clues in the headers as to how to defeat the test: Subject: [22] =?euc-kr?B?R2VuZXJhbCBJbnF1aXJ5IGZvciBzbm93bW9iaWxl?= Content-Type: text/html; charset=euc-kr You could probably do something like the following (suggested replacement for the original filter if you are using it): GIBBERISHSUBfilter C:\IMail\Declude\Filters\GibberishSub.txtx50 # The following defeats the test if it finds the subject is not sent as ASCII SUBJECT-5CONTAINS?b? # Small list of letter combinations not found in a basic dictionary. SUBJECT0CONTAINSqb SUBJECT0CONTAINSqc SUBJECT0CONTAINSqd SUBJECT0CONTAINSqe SUBJECT0CONTAINSqf SUBJECT0CONTAINSqg SUBJECT0CONTAINSqh SUBJECT0CONTAINSqi SUBJECT0CONTAINSqj SUBJECT0CONTAINSqk SUBJECT0CONTAINSqm SUBJECT0CONTAINSqn SUBJECT0CONTAINSqo SUBJECT0CONTAINSqp SUBJECT0CONTAINSqr SUBJECT0CONTAINSqs SUBJECT0CONTAINSqt SUBJECT0CONTAINSqv SUBJECT0CONTAINSqx SUBJECT0CONTAINSqy SUBJECT0CONTAINSqz SUBJECT0CONTAINSvq SUBJECT0CONTAINSwq SUBJECT0CONTAINStq SUBJECT0CONTAINSjq SUBJECT0CONTAINSxd SUBJECT0CONTAINSxj SUBJECT0CONTAINSxk SUBJECT0CONTAINSxr SUBJECT0CONTAINSxz SUBJECT0CONTAINSzb SUBJECT0CONTAINSzc SUBJECT0CONTAINSzf SUBJECT0CONTAINSzj SUBJECT0CONTAINSzk SUBJECT0CONTAINSzl SUBJECT0CONTAINSzm SUBJECT0CONTAINSzx Matt Dan Patnode wrote: Follow-up, Used in a high weight soft test, 3 of Q subject tests FPd this morning. It seems that Japanese encoded messages like lots of mixed up letters. More testing... Dan On Wednesday, September 10, 2003 19:20, Dan Patnode [EMAIL PROTECTED] wrote: I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i ..jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p vyoaejswayqo Subject: [Fwd: =?GB2312?B?0OnE4r/VvOS089PFu92jrDE5OdSqv8nS1L2o0ru49s341b6jrA==?==?GB2312?B?uM+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?= Dan On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote: How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse
Re: [Declude.JunkMail] New test request
Wow, what a sweet idea Matthew! Applying rules of English (like Q is always followed by U) to look for gibberish. :) Yea, so long as BODY searches attachments, any small code will sooner or later show up in an attachment. I've even had problems trying hard tests for complete words where an L was replaced with an I and it showed up in attachment PDF code. Dan On Wednesday, September 10, 2003 13:36, Matthew Bramble [EMAIL PROTECTED] wrote: Dan Patnode wrote: Good point, The goal then should be to differentiate numbers used as codes from numbers used to confuse. The former tend to be contiguous while the later (in my experience), tend to be mixed in with letters. Perhaps if the test counted numbers with letters on both sides? Dan If you are looking for gibberish, look to the subject line and not the sender. I actually have a decent test for this in the subject line (don't use it in the body). The only false positives would come from very strange acronyms and auto-generated code such as tracking/receipt numbers. This scores higher the more gibberish you catch. It's been safe so far for me. GIBBERISHSUBfilterC:\IMail\Declude\GibberishSub.txt x10 SUBJECT2CONTAINSqb SUBJECT2CONTAINSqc SUBJECT2CONTAINSqd SUBJECT2CONTAINSqe SUBJECT2CONTAINSqf SUBJECT2CONTAINSqg SUBJECT2CONTAINSqh SUBJECT2CONTAINSqi SUBJECT2CONTAINSqj SUBJECT2CONTAINSqk SUBJECT2CONTAINSqm SUBJECT2CONTAINSqn SUBJECT2CONTAINSqo SUBJECT2CONTAINSqp SUBJECT2CONTAINSqr SUBJECT2CONTAINSqs SUBJECT2CONTAINSqt SUBJECT2CONTAINSqv SUBJECT2CONTAINSqx SUBJECT2CONTAINSqy SUBJECT2CONTAINSqz SUBJECT2CONTAINSvq SUBJECT2CONTAINSwq SUBJECT2CONTAINStq SUBJECT2CONTAINSjq SUBJECT2CONTAINSxd SUBJECT2CONTAINSxj SUBJECT2CONTAINSxk SUBJECT2CONTAINSxr SUBJECT2CONTAINSxz SUBJECT2CONTAINSzb SUBJECT2CONTAINSzc SUBJECT2CONTAINSzf SUBJECT2CONTAINSzj SUBJECT2CONTAINSzk SUBJECT2CONTAINSzl SUBJECT2CONTAINSzm SUBJECT2CONTAINSzx --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SMTP Relay Limit
Should have been more specific, I'm looking for something used by larger ISPs that gives me the confidence of volume and stability. Something attached to a name and a phone number I can call when there's a problem. I don't mind paying for it. Top 2 or 3 names? Thanks, Dan On Wednesday, September 10, 2003 13:15, Charles Frolick [EMAIL PROTECTED] wrote: I like Xmail server (http://www.xmailserver.org), it is multi platform and can easily do what you want. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Wednesday, September 10, 2003 2:34 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SMTP Relay Limit I'm running Declude as a gateway for various IPs and just hit a limit. Under Addresses specified here are to be considered local addresses for mail gatewaying Adding entries to Access Control under SMTP, the 100th entry produces an error: Maximum table size reached So now, no more clients can be added because I can't relay their mail. Ipswitch says its hard coded across all versions and a fix is months away, if they agree to do it. What I'm thinking is sending all mail to a down stream server that doesn't have this limit that would in turn forward to clients. This leaves two questions: 1) What's the best email server software to do this with, providing both unlimited relay IPs and easy text editing of the delivery list (Linux, Windows, Mac)? 2) What's the best way to deliver from Imail to this server? The obvious is to add this same IP to every domain listed in the hosts file, but would it be better to use Gateway Option, Send all remote mail through gateway Any comments/insights would be appreciated. Thanks! Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: Shirley Dalton [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 314612976 htmlbody center!--lfoln42j66--a href=http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni;img src=http://discountrate2-dot-com/pics/gv1.gif; height=270 width=405/a/center /html/body --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
Scott, It pains me to suggest making your todo list longer but how about adding test grouping? It would be to much to make multiple weight scales, but how about something simpler. Say you wanted to make 3 groups of 3 each. Label one of the option columns in such a way that they can be grouped: Group1 G1 x x 0 0 Group2 G2 x x 0 0 Group3 G3 x x 0 0 BADHEADERS badheaders G1 x 0 0 BASE64 base64 G1 x 0 0 HELOBOGUS helovalid G1 x 0 0 MAILFROMenvfrom G2 x 0 0 IPNOTINMX ipnotinmG2 x 0 0 PERCENT percent G2 x 0 0 REVDNS revdnsexistsG3 x 0 0 ROUTING spamrouting G3 x 0 0 SPAMHEADERS spamheaders G3 x 0 0 Sub tests could be duplicated to run solo and in a group or not to run only in a group. Groups could be hit only in action files ($default) or have weights (being tests of their own). We could then build profiles, adding all the different behaviors paricular spams share, regardless of which tests define those behaviors. I would love, for example, to combine an IPFILE listing US broadband IPs with NONENGLISH. Dan On Wednesday, September 10, 2003 16:57, Dan Patnode [EMAIL PROTECTED] wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: Shirley Dalton [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 314612976 htmlbody center!--lfoln42j66--a href=http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni;img src=http://discountrate2-dot-com/pics/gv1.gif; height=270 width=405/a/center /html/body --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E
Re: [Declude.JunkMail] Strange Subject
I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i ..jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p vyoaejswayqo Subject: [Fwd: =?GB2312?B?0OnE4r/VvOS089PFu92jrDE5OdSqv8nS1L2o0ru49s341b6jrA==?==?GB2312?B?uM+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?= Dan On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote: How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body
[Declude.JunkMail] Name/Whois Server Test?
I keep seeing generic word payload domains that have generic words followed by short codes: manual3a.com infowebdd4.com saless1d.com seaccc1.com saleon1.com greatdf45.com greatinfo33f.com greatbizss3.com biz34er5.com clearsale12.com bigsalesxz.com The interesting part, is that their Internic.net accounts are all the same, in this case an entire service (paycenter.com.cn) devoted to spam: Registrar: XIN NET CORP. Whois Server: whois.paycenter.com.cn Referral URL: http://www.paycenter.com.cn Name Server: NS0.DNSREALTIME.COM Name Server: NS1.DNSREALTIME.COM For all the domain names, there are only a few name servers and even fewer whois servers (one): Searching for A record for www.saless1d.com at ns0.dnsrealtime.com.: Reports www.saless1d.com. [took 267 ms] Searching for A record for bigsalesxz.com at ns1.dns1st.com.: Reports bigsalesxz.com. [took 288 ms] How about a test for name server address (ns0.dnsrealtime.com) or better yet, the Whois server (whois.paycenter.com.cn)? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OSRELAY question.
There was a report in the last few days about relays.osirusoft.com going sour in some way. I didn't pay much attention until I had a dozen OSRELAY false positives staring me in the face. I've turned off all relays.osirusoft.com based tests (I used two) Dan On Tuesday, August 26, 2003 17:14, Chuck Schick [EMAIL PROTECTED] wrote: In going thru the held mail I am finding some emails with this warning. X-RBL-Warning: OSRELAY: Please stop using relays.osirusoft.com This only shows up on a few emails but it causes the email to fail the OSRELAY test - meaning more false positives. Other emails either do not have the warning or they show a normal OSRELAY warming - X-RBL-Warning: OSRELAY: This E-mail came from XXX.27.65.23, a potential spam source listed in OSRELAY. I searched the archives but did I miss an announcement that we were suppose to quit using OSRELAY. Thanks. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spoofed Subjects
Heads up to anyone using undeliverable subjects for whitelisting, pharmacysale.biz is trying to sneak around, some more subtle than others: Subject: Returned mail: see transcript for details Subject: Undeliverable: Online Pharmacy - Lowest Prices - Prozac and More! Subject: Delivery Status Notification (Failure) Subject: Undeliverable: Spending TOO MUCH on Prescriptions? Subject: failure notice Subject: Message status - undeliverable Subject: Mail System Error - Returned Mail Subject: Delivery Notification: Delivery has failed Subject: Undeliverable: Refill Your VIAGRA Prescription Online Subject: Undelivered Mail Returned to Sender Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Multi Server Configs
FYI for everyone, I didn't have time to test and implement F-prot during this situation so I what I ended up doing was taking one of my Declude servers off the line, stripping it of all spam tests, and setting it in front of a second Declude server - it runs 7 lines worth of tests and makes a decision, very low CPU. In effect, I'm using the first as the gateway filter I was looking for, deleting the sobig's and passing the rest on to the second for spam filtering. BTW, all of this hassle is over one client, a software developer. They put [EMAIL PROTECTED] in every one of their readme files for every installed and demo version since time began. Sobig comes along on all these machines, harvests email addresses from files such as these, and blasts'em. The multitude of sources made it impossible to block the onslaught by sender IP. Dan On Monday, August 25, 2003 0:48, John Tolmachoff \(Lists\) [EMAIL PROTECTED] wrote: Yes, Declude Virus does this. Declude Virus is fired before Declude JM. It is checked in this order by default: Imail SMTP security Declude Virus virus scan Declude Virus banned extension Declude Virus vulnerabilities Declude JM Imail Rules Delivery John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Monday, August 25, 2003 12:10 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Multi Server Configs Thank you Matt. If correct, you've brought me more clarity and direction than I've had since this mess began. I've been so focused on fighting spam, I havn't yet installed Scott's AV system (after more than a year), relying instead on a basic Norton config to handle things. Scott, Can you confirm that virus' stopped by Declude AV (if so configured) will prevent that message from being scanned by the spam system, including those tagged soley by attachment names like *.pif? Thanks, Dan 'Sobig Egg on Face' Patnode On Sunday, August 24, 2003 18:30, Matthew Bramble [EMAIL PROTECTED] wrote: Dan, It appears that E-mail is first scanned by the virus scanner (F-Prot or whatever), and then if it passes, the excluded extensions are tested. So as soon as your virus scanner became Sobig.F aware, the excluded extensions test doesn't get done because it is blocked by the scanner. Maybe Scott can suggest other ways to save processing power? Scott, I know this is the wrong discussion group, but since we're on the topic, would it make more sense to test for banned extensions before it goes to the virus scanner in order to save processing power? Matt Dan Patnode wrote: Matt, by this: This does tie back into processor utilization though, because before the definitions were available, the banned extension test was placing those E-mails in a hold (wish you could have them deleted). The system seems though to scan the attachments first and then look for attachments to ban by extension, and that order could be reversed to save processing power. I assume this because the virus detection is now catching these files subsequent to the definitions update instead of the banned extension test doing the dirty work. are you saying that I could set up Fprot to scan for .pif files and then have it run before Declude's junk filters, holding/deleting them, saving the CPU from scanning these messages with my junk tests? Can this be confirmed, Scott? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Multi Server Configs
John, Unfamiliar with Declude's AV options so I'm uncertain what you mean, but all I'm looking to do is kill messages generated by Sobig before they get pushed through spam tests. If I can do that with Scott's AV package, bring it on! Dan On Sunday, August 24, 2003 23:10, John Tolmachoff \(Lists\) [EMAIL PROTECTED] wrote: The problem is when it comes to notifications and requeing. If a message gets stopped by banned extension first, and it is infected, you are going to be sending out a notice to the recipient of the blocked message. He is going to tell you hey, I know that send, and such and you are going to requeue it and on the virus goes. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Sunday, August 24, 2003 6:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Multi Server Configs Dan, It appears that E-mail is first scanned by the virus scanner (F-Prot or whatever), and then if it passes, the excluded extensions are tested. So as soon as your virus scanner became Sobig.F aware, the excluded extensions test doesn't get done because it is blocked by the scanner. Maybe Scott can suggest other ways to save processing power? Scott, I know this is the wrong discussion group, but since we're on the topic, would it make more sense to test for banned extensions before it goes to the virus scanner in order to save processing power? Matt Dan Patnode wrote: Matt, by this: This does tie back into processor utilization though, because before the definitions were available, the banned extension test was placing those E-mails in a hold (wish you could have them deleted). The system seems though to scan the attachments first and then look for attachments to ban by extension, and that order could be reversed to save processing power. I assume this because the virus detection is now catching these files subsequent to the definitions update instead of the banned extension test doing the dirty work. are you saying that I could set up Fprot to scan for .pif files and then have it run before Declude's junk filters, holding/deleting them, saving the CPU from scanning these messages with my junk tests? Can this be confirmed, Scott? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Multi Server Configs
Thank you Matt. If correct, you've brought me more clarity and direction than I've had since this mess began. I've been so focused on fighting spam, I havn't yet installed Scott's AV system (after more than a year), relying instead on a basic Norton config to handle things. Scott, Can you confirm that virus' stopped by Declude AV (if so configured) will prevent that message from being scanned by the spam system, including those tagged soley by attachment names like *.pif? Thanks, Dan 'Sobig Egg on Face' Patnode On Sunday, August 24, 2003 18:30, Matthew Bramble [EMAIL PROTECTED] wrote: Dan, It appears that E-mail is first scanned by the virus scanner (F-Prot or whatever), and then if it passes, the excluded extensions are tested. So as soon as your virus scanner became Sobig.F aware, the excluded extensions test doesn't get done because it is blocked by the scanner. Maybe Scott can suggest other ways to save processing power? Scott, I know this is the wrong discussion group, but since we're on the topic, would it make more sense to test for banned extensions before it goes to the virus scanner in order to save processing power? Matt Dan Patnode wrote: Matt, by this: This does tie back into processor utilization though, because before the definitions were available, the banned extension test was placing those E-mails in a hold (wish you could have them deleted). The system seems though to scan the attachments first and then look for attachments to ban by extension, and that order could be reversed to save processing power. I assume this because the virus detection is now catching these files subsequent to the definitions update instead of the banned extension test doing the dirty work. are you saying that I could set up Fprot to scan for .pif files and then have it run before Declude's junk filters, holding/deleting them, saving the CPU from scanning these messages with my junk tests? Can this be confirmed, Scott? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Multi Server Configs
Thanks for all the great feedback. I'm still drowning in 50,000+ SoBig message/day but at least I now have them balanced over both 5gig servers instead of just one. What kills me is that the vast majority are headed for a single customers info@ address. Matt, by this: This does tie back into processor utilization though, because before the definitions were available, the banned extension test was placing those E-mails in a hold (wish you could have them deleted). The system seems though to scan the attachments first and then look for attachments to ban by extension, and that order could be reversed to save processing power. I assume this because the virus detection is now catching these files subsequent to the definitions update instead of the banned extension test doing the dirty work. are you saying that I could set up Fprot to scan for .pif files and then have it run before Declude's junk filters, holding/deleting them, saving the CPU from scanning these messages with my junk tests? Can this be confirmed, Scott? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Multi Server Configs
I'm running twin dual Xeon 2.4s and was nearly wiped out today by all the extra virus/worm activity. Its midnight and I'm still clearing out the overflow, to the tune of 2 dozen Declude processes. Rather than running them in parallel as we had before (setting them up with the same MX weight), we are running these in series (every message hits the first server until it says uncle, then the second server gets some). Trouble is, the 1st server didn't refuse incoming mail, it just kept piling up in overflow - to the tune of about 10,000 message in the course of a single morning. Is there a way to configure Imail/Declude so as not to use overflow, instead refusing additional connections so they are passed to secondary servers? Thanks Dan PS, more on CPU load itself later --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why the challenge/response measure wont work
Looks like they expired the link, only the domain reveals what you saw: http://tfexp.com/ I have a perspective client considering challenge/response, another good reason not to. Dan On Wednesday, July 30, 2003 4:58, Omar K. [EMAIL PROTECTED] wrote: I fell for it, so im assuming that joe blogs will too. Im never clicking on such a link again, and I assume as we see more abuse, most people wont either. Received: from hasna.jeeran.com [208.187.144.109] by jeeran.com with ESMTP (SMTPD32-6.06) id A9731C300C0; Wed, 30 Jul 2003 13:18:11 +0200 Received: by hasna.jeeran.com (Postfix) id 857A6AE116; Wed, 30 Jul 2003 02:25:34 +0300 (EEST) Delivered-To: [EMAIL PROTECTED] Received: from smtp.spacestar.net (smtp.spacestar.net [206.191.192.8]) by hasna.jeeran.com (Postfix) with ESMTP id CB415AE100 for [EMAIL PROTECTED]; Wed, 30 Jul 2003 02:25:33 +0300 (EEST) Received: from community.tfexp.com (unknown [206.191.219.10]) by smtp.spacestar.net (Postfix) with SMTP id 37D658A59 for [EMAIL PROTECTED]; Wed, 30 Jul 2003 05:22:06 -0500 (CDT) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: 30 Jul 2003 05:07:44 -0500 Subject: Address validation required Message-Id: [EMAIL PROTECTED] X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 13. X-Declude-Sender: [EMAIL PROTECTED] [206.191.192.8] X-Note: This E-mail was scanned by jeeran.com for spam. X-Spam-Tests-Failed: IPNOTINMX, NOLEGITCONTENT, SPAMCHK [13] X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 351353403 Status: U You recently sent a message to Sysop on The Friendship Express Community We are trying to reduce spam and junk mail coming to us. Before your email can be delivered, you must first validate yourself with our email system. To validate yourself, simply click on the following link: http://tfexp.com/spamban/validate/?c=1430594421 Once you have done this, you will not have to do this again, unless you change your email address. Thanks for your paitence and understanding. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelist own IP or domain
Some-much of this local/remote distiction can be resolved by running Declude infront of/seperate from your actual email server. The negative is that it kills auto whitlising. Dan On Wednesday, July 30, 2003 12:01, Karen D. Oland [EMAIL PROTECTED] wrote: I agree. We have the same problem here when sending from offsite. If/when declude lets us test for SMTP AUTH, then our issue (and most likely yours) will be resolved. For mailing lists that are expected (or getting caught using spamdomains), we add negative weight (enough to offset either spamdomains or all their broken problems) so they get thru. We've also seen both spammers and legit mailing lists using the user's name on the left side, as well as double dashes or asterisks (which we scan for and add a enough weight to result in a hold if not offset from a known list address). Karen -Original Message- From: John Shacklett I have a separate issue with SMTP AUTH which is complicating things, so I stuck another domain in that second field on the line for my home domain to try and fix that situation. Thanks for the suggestion though. What I really have is three issues and only two degrees of freedom to try and solve them, and the fix for any pair of issues complicates the third. The ENDSWITH suggestion appeared to me to be the least intrusive way to get all three problems worked out. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude stats
If you're describing % of false positives/negatives, it can't be done automatically. Any system smart enough to tell what should have from what shouldn't have to calculate the difference would simply do as it should and be 100% accurate. I get my numbers by taking the total messages and dividing it into the number of human perceived mistakes. In and of itself its not exact, but it works wonders for comparative purposes when each calculation is done the same way with the same margin for error. Just make sure to use a large enough period of time, for me a week is minimum. Dan On Tuesday, July 29, 2003 12:31, Mark Gordon [EMAIL PROTECTED] wrote: Declude stats I have seen a post about having declude listing percentages about what it has done and blocked. What were the command line options to have this done? Thanks --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] enhancement request: WORDFILTER URL keyword
I believe the hmtl decoding already takes care of the second example. As for the first, I've had great success targeting spoofing directly: BODY0 CONTAINShttp://7# BODY0 CONTAINShttp://8# BODY0 CONTAINShttp://9# BODY0 CONTAINShttp://% BODY0 CONTAINShttp://w% BODY0 CONTAINShttp://ww% BODY0 CONTAINS@%30 BODY0 CONTAINS@%31 BODY0 CONTAINS@%32 Your example will get nailed nicely then, by: BODY0 CONTAINS@%77 Dan On Friday, July 25, 2003 18:45, [EMAIL PROTECTED] wrote: Hi Scott, Have you considered the following? Since the goal of every spammer is to get the reader to visit their website (or call a phone number, or send a fax), every spam always has a target which very often is a URL. Although in 90% of the cases it is easy to add this to a word filter, I am noticing a few spams that use encoding tricks to randomize the URL or unsubscribe link so it is harder to add a single entry to filter it. I was wondering if you had considered a keyword modifier URL for the wordfilter configuration file that would mean for Declude to assume the following field is a URL and to test all variable encodings. Here's what I mean. The following are encoded URL's from two recent spams: http://serine:[EMAIL PROTECTED] http://entendre:[EMAIL PROTECTED]assyriay8.143.72/punish/unsubscribe.php The Declude entry could be something like: BODYURL 8 CONTAINS http://www.something.com instead of: BODY 8 CONTAINS http://www.something.com This would mean to try all encodings, or at least go cleansing removing the common tricks just like the COMMENTS function does. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Musical MX Records
I run a gateway configuration with clients changing their entire MX record to my servers, which in turn point back to the client's server. In this way, clients don't need to change anything else on their end and everyone is happy. The original email server stays wide open and no one is the wiser, until: A client changed their MX record away from me, then later back to me (they tried to go it alone). Since then, spammers have been sending some spam directly to their server, ignoring the MX record and bypassing my servers/filters all together. I wasn't to worried about it until it happened again, a different clients ISP accidentally changed the MX record, then switched it back - and spam started going around. The fix is for the client to firewall block IPs that aren't mine but this doesn't feel right. Is there something about DNS/MX switching that might explain how a spammer was able to target a clients IP address based soley on on/off/on record change? Thanks Dan On Friday, July 18, 2003 10:22, Russ Uhte [EMAIL PROTECTED] wrote: What is happening here is that the spammer is using their own software (spamware) to send the spam. Knowing that many people don't scan E-mail that comes through their backup mailserver(s), their spamware chooses to try the backup mailservers first. If your Exchange server isn't running any anti-spam or anti-virus, I would recommend removing it from the MX record. Here's my .02. Usually this spamware will do a normal DNS lookup and choose the MX record with the highest priority (which is wrong.) Make a 4th MX record that has the highest priority, and point it at your primary mail server. This will usually trick the spamware into sending to your primary mail server, and still keep your redundancy with real mailservers!! -Russ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS Test?
Can't wait for this one! On Friday, July 18, 2003 11:10, R. Scott Perry [EMAIL PROTECTED] wrote: I have been looking at this trend and perhaps having another tool in our arsenal could help. Can there be a header or a variable we can assign weight to for DNS? A lot of spam houses have a DNS server and several that I checked were showing the same name server for their domains. Just like a blacklist that looks at emails I wonder if it is efficient use of resources if one could also have a blacklist of DNS servers. This way we can add weight to certain servers. This is an interesting idea. It's been added to the suggestion database. It would be a bit tricky to implement, but could be very useful (and would probably not require much extra in the way of resources). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] XOUTHEADER shows up in the body
Reminds me of my weeks with Declude (over a year now). Turned out the format of my comments wasn't right, it was being rejected as header content, dropping into the body. As I recall, not all mail clients responded the same way - MS clients showing the problem. I never went beyond making each line an X-note, so I'll let someone else cover the syntax you need. Dan On Wednesday, July 16, 2003 20:01, Dan Keltgen [EMAIL PROTECTED] wrote: When I use an XOUTHEADER or turn XSENDER ON, it places the text at the end of the body, not in the header. Has anyone seen this before? I57;m using Declude v1.69b Thanks, Dan Keltgen --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Attack of the Hypens
After killing off the .biz domains, there seems to be a surge in hyphenated domains, with generic, systems or typical words. Anyone else seeing this?: COLO-JAN.NET linux-pros.net great-steals.com simply-4u.com media-permit.com bargain-bin.com e-member-services.com pret-ty.com on-thenet.net dns-buy.com every-dns.com Dan On Tuesday, June 24, 2003 13:06, Kami Razvan [EMAIL PROTECTED] wrote: Message Hi; Just wanted to share the idea of a filter that we have tested with good results. We use our blacklist in 3 different filters. - Blacklist- where we delete at IMail level. This we noticed is real efficient. [Action= Delete] - Blacklist in Header- where the blacklist entries appear in the header but not as the sender. At times spammers use the blacklist domain for Rely To but not the from address. [Action = HOLD] - Blacklist in body- the blacklist email addresses appear in the body of email. [Action = HOLD] We recently added another filter and it is: REVDNS 0 ENDSWITH Blacklist entry Of course our output is based on blacklist entries that just have .domain.com This has worked well and has caught a number of emails. Just thought to share this... Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] False Positives
When I checked last month I was doing about 1 in 20,000 (.005%), but this takes some fairly sophisticated tuning. Dan On Friday, July 11, 2003 9:18, Douglas Brantley [EMAIL PROTECTED] wrote: New to list... We are considering purchasing Declude Junkmail. I am concerned about false positives the time required to deal with them. Of those of currently runing Declude Junkmail, what is your rate of false postives and how do you best manage the false postives? Thanks in advance. db --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bizarre DJM Pro Situation
.tpcper is Topica. They come out with new spamming domains continuously while keeping their IPs fixed. Blocking their IPs however, also blocks all the newsletters they publish. I've been testing their removal system for the last 2 months, if you enter the recipients email address here with the bottom 2 boxes checked, the tpcper spam stops: http://www.topica.com/help/unsub_all.html Dan On Wednesday, July 9, 2003 9:31, Dan Geiser [EMAIL PROTECTED] wrote: Hello, All, We are using DJM Pro. I'm having an issue with a message that I don't think should have been delivered. Here are the headers... - Received: from out017.tpcper.com [69.24.239.37] by pagerover.com (SMTPD32-6.06) id A4323AA80134; Sun, 06 Jul 2003 15:10:42 -0400 To: [EMAIL PROTECTED] From: Distribution [EMAIL PROTECTED] Subject: re: Take a Short Survey, Win a New Computer System! Date: Sun, 06 Jul 2003 12:08:04 -0700 Message-ID: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-Declude-Sender: [EMAIL PROTECTED] [69.24.239.37] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: OSSRC, EASYNET-DNSBL, IPNOTINMX, WEIGHT05, WEIGHT07, WEIGHTRANGE05-59, WEIGHTRANGE07-59 [8] X-Spam-Prob: 0.451398 X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 345762330 Status: U - This message was sent to one of our internal domains microgallery.com which is a host aliases on the IMail site pagerover.com The active entries in the $default$.junkmail are... - CATCHALLMAILS COPYTO [EMAIL PROTECTED] FROMFILE-HOLD HOLD IPFILE-HOLD HOLD MAILFROM HOLD WEIGHTRANGE05-59 HOLD WEIGHT60 ROUTETO [EMAIL PROTECTED] FILTER-BODY-IP WARN FILTER-BODY-PHONE WARN FILTER-BODY-URL WARN FILTER-MAILFROM WARN SPAMCOP WARN - and associated entries in GLOBAL.CFG are - WEIGHT60 weight x x 60 0 WEIGHTRANGE05-59 weightrange x x 5 59 FILTER-BODY-IP filter D:\iMail\declude\JunkMail.Filter.Body.IP.txt x 0 0 FILTER-BODY-PHONE filter D:\iMail\declude\JunkMail.Filter.Body.Phone.txt x 0 0 FILTER-BODY-URL filter D:\iMail\declude\JunkMail.Filter.Body.URL.txt x 0 0 FILTER-MAILFROM filter D:\iMail\declude\JunkMail.Filter.MailFrom.txt x 0 0 FROMFILE-HOLD fromfile D:\iMail\declude\JunkMail.FromFile.Hold.txt x 0 0 IPFILE-HOLD ipfile D:\iMail\declude\JunkMail.IPFile.Hold.txt x 0 0 - For the life of me I cannot figure out why this was delivered to the recipient. Does anyone have any insight? Thanks, Dan Geiser [EMAIL PROTECTED] This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REDIRECT configuration
The asumption is that multiple folders are needed, you are running multiple domains through the same gateway. I've been using REDIRECT for over a year and there are advantages to customization, being able to REDIRECt with some and SUBJECT with others, or different versions of each. Additionally, having or not have a default file for a given domain allows me to control which domains get filtering and when. Right now, for example, I'm working with a client who passed away in the middle of ramping up so I turned off filtering to let his wife take a breath before having to deal with it. To automate the process, you can use a .bat file such as this, which I use to update multiple servers at the same time: copy \\[source file]\\[destination server]\c$\imail\declude\domain.com Dan On Wednesday, July 9, 2003 13:46, Russ Uhte [EMAIL PROTECTED] wrote: At 02:39 PM 7/9/2003, you wrote: I had this problem with a domain that was not on my server and wanted to use REDIRECT to point ot another junkmail file. But it always used the outbound settings in the global.cfg. You said when I had the issue you were going to have this fixed in a future beta release. Has it been fixed The REDIRECT option was set up that way by design, and I'm not aware of any plans to change the behavior. So if I was only going to use the REDIRECT command with those types of domain, don't worry about it? I should just stay with the tried and true method? I'll agree with Kevin, this would be a nice feature for store-and-forward domains. That way I don't have to maintain a bunch of separate folders and files. Thanks, Russ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Spam News
Thought these might be of interest: New site spoofs PayPal to get billing information http://maccentral.macworld.com/news/2003/07/09/paypal/ Congress fights over spam opt-in rules http://maccentral.macworld.com/news/2003/07/09/spam/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Postage
Anyone else get this?: == Dear Sir/Madam I would like to inquire if you would be interested in incorporating email postage support to your product. It will allow your customers to enforce payment for emails that are not on their white list, or have a certain level of spam ranking. If you are, please contact me and I will be happy to talk to you about our technology and how we can partner to provide you the tools to implement these tested technology. Best regards, == Looks like a payment company looking to branch out Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Increased Spam?
I've seen as much as a doubling over the last 3 months but nothing in particular over the last week. Is your total/total up, or just the stuff getting through? Dan On Monday, July 7, 2003 9:48, Koree A. Smith [EMAIL PROTECTED] wrote: Was just curious if anyone else is seeing the HUGE increase we've seen. I hate to be paranoid, but it seems to coincide with the introduction of the government's do not call list. I've heard of threats by telemarketing companies to begin sending out huge amounts of junk email and snail mail. I've seen probably a 50% increase in the junk that's not getting caught within the last week. Just curious if anyone else has seen this, and if so, what you did to cut it back down. Thanks, Koree --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] open relay tester
So how good are these tests? I've been tracking spam from mail.fea.net for the last few days (over 40 in the last 12 hours alone), all seem to be relayed and fea.net seems to be a friendly neighborhood ISP. They don't show up in any DBs, so I had to block their IP. Dan On Sunday, July 6, 2003 8:34, Bill Landry [EMAIL PROTECTED] wrote: Try: http://www.dnsreport.com/ Run the DNS Report against a domain hosted by the mail server. In the mail section you should see the following if they are not an open relay: PASS Open relay test OK: All of your mailservers appear to be closed to relaying. gw2.pointshare.com OK: 550 : Relay access denied gw1.pointshare.com OK: 550 : Relay access denied Some other relay test sites: http://www.abuse.net/relay.html http://www.ja.net/mail/anti-spam/STAN.html#request http://www.ordb.org/submit/ http://www.btoy1.rochester.ny.us/Security/MailTest.php Also, you can telnet from a mail server to mail-abuse.org and it will run an interactive relay test in real time back to the connecting mail server (see http://mail-abuse.org/tsi/ar-test.html). Bill - Original Message - From: David Dodell [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 06, 2003 8:14 AM Subject: [Declude.JunkMail] open relay tester I have a customer who claims that their exchange box is closed as an open relay ... however, I'm seeing hundreds of spam messages come through them that started on Friday. I've shut down their outbound service, but I thought DNSSTUFF had an open relay test of some type but can't find it. Is there any other open relay tester I can use so I can document this for them? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] re: Strange logging
I don't know about log analyzers, but there's a way around message interlacing for manual log review. BBEdit shows search results in a new window, so I search for the messages code (like D06f811ed0094f08e) and every line with the code is isolated and displayed in a sigle concise package. I don't know if text editors for Windows have similar functionality. A more labor intensive way to do the same thing is wiping out the time in the mixed entries and then auto sorting. Dan On Wednesday, July 2, 2003 17:57, Kevin Bilbee [EMAIL PROTECTED] wrote: Note some of the log lines in the attached log snip are merged together I caught this when my log analyser told me that I have a test called SPAM07/02/2003 LOGLEVELHIGH Declude version 1.70i14 Look at the time slice if 09:24:32 - 09:24:33 it looks like 6 processes were trying to write to the log at the same time. Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] (805) 520-5800 x7332 Changing the way industry works. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Resolution
A general tip: If you find yourself wanting to split a weight amount, say 5 is to low and 6 is to high, you can't use 5.5, but you can increase the resolution. Take every weight in your entire configuration (EVERY weight at once, including all action files) and multiply them by the same number. x2 or x10 are good for simplicity. That 5 or 6 then becomes 10 or 12 (split with 11) or 50 to 60 (split with 55). This extra resolution enables finer tuning/adjustment/control. Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] time-dependently hold weight
Wow, I can't believe you guys, this stuff is amazing. Now to figure out what grep is so I can use it! Would something written in php be as strong/fast? Dan On Saturday, June 28, 2003 20:09, Bill Landry [EMAIL PROTECTED] wrote: Okay, here is a small contribution to the list. Markus, this script: grep Total weight = m:\imail\spool\spam\log\dec0628.log | gawk {print $2, $NF} log0628.txt will output a file called log0628.txt in the following space delimited format (snip): 16:35:17 64 16:35:29 78 16:35:39 0 16:36:10 1 16:36:35 69 16:36:39 -13 16:36:50 90 16:36:51 37 16:36:55 74 As Markus noted, the UNIX utilities needed for to run these scripts can be found at: http://unxutils.sourceforge.net/ There is no installation, just simply extract the files contained in the zip file into a directory and you're all set. Here are a couple of additional scripts to get you thinking about the power of these utilities, which hopefully people will share with the list as they develop their own scripts. The following script will list all of your Declude tests and show how many messages were flagged by the test: egrep Message OK|Msg failed m:\imail\spool\spam\log\dec0615.log | gawk {print $6} | sort | uniq -c | sort -rn This will output a report like the following, in less than 30 seconds (if any of you have run some of the other JunkMail log reporting tools, you will find this quite extraordinary in comparison to the hours it takes to run reports with these other reporting tools): 9870 SPAMCHECK 8827 NOLEGITCONTENT 8082 IPNOTINMX 7728 SM-SPAM-L1 7466 SM-SPAM-L2 7154 SPAMSNIFFER 6793 WEIGHT36- 6541 SM-SPAM-L3 5749 REYNOLDS 5698 HEADERS-FILTER 5058 EASYNET-DNSBL 4867 SM-SPAM-L4 3932 SUBJECT-FILTER 3762 BODY-FILTER 3610 OSSRC 2973 SPAMHAUS 2902 OK 2827 SPAMCOP 2759 NJABL 2605 OSSOFT 2497 SM-SPAM-L5 2480 INTERSIL 1807 NOMOREFUNN 1486 VOX 1420 BLARSBL 1300 FIVETEN-SRC 1290 MAILFROM-FILTER 1203 NOABUSE 1188 NOPOSTMASTER 1077 HELO-FILTER 1070 REVDNS 1010 DSBL 952 SORBS 919 EASYNET-PROXIES 783 DSN 726 MONKEYPROXIES 689 BADHEADERS 680 HEURISTICS 680 HELOBOGUS 651 WEIGHT16-35 642 REVDNS-FILTER 422 SPAMBAG 416 BLITZEDALL 397 SPAMDOMAINS 391 LONGSUBJECT 356 ROUTING 306 OSPROXY 306 FIVETEN-OPTIN 300 COMMENTS 294 IPWHOIS 267 SUBJECTSPACES 247 UCEB 228 SM-ADULT-L1 221 SM-ADULT-L2 217 SM-ADULT-L3 210 BASE64 182 SM-ADULT-L4 178 LEADMON 149 SM-ADULT-L5 140 MAILFROM 114 BH-CHINA 97 FABEL 71 KOREA-NETS 71 KITHRUP 71 BH-KOREA 68 BONDEDSENDER 62 EASYNET-DYNA 55 DSBL-MULTI 54 SPAMHEADERS 53 PIGS 52 OSRELAY 51 ORDB 44 BH-JAPAN 34 OSDIPS 32 BH-ARGENTINA 29 BH-RUSSIA 27 BH-BRAZIL 18 BH-TAIWAN 18 BH-HONGKONG 16 KUNDENSERVER 14 BH-THAILAND 10 DNSRBL-DUN 8 EXSILIA-SPAM 7 FIVETEN-MULTI 4 NONENGLISH 3 REMOTEIP-FILTER 3 BH-MALAYSIA 1 OSLIST 1 BH-SINGAPORE The following script will allow you to view the subject line of all messages flagged by whatever test you define in the script (in this case I used SORBS), and will sort them by count: egrep Msg failed SORBS|Subject: m:\imail\spool\spam\log\dec0617.log | grep -A 1 SORBS | grep Subject | cut -b 39- | sort -f | uniq -ic | sort -rfn The output looks like (snip): 10 Subject: You want a bigger one? 9 Subject: Is your manhood too small? 9 Subject: CheapTrips Airfares: Best Price Guaranteed 8 Subject: prevent stretch marks during pregnancy 8 Subject: Baby Boomers to GenX dhj k 8 Subject: ##Low Income Funding Program vyig 8 Subject: ##Low Income Funding Program h ymuviwtx uggldu 7 Subject: View Photos Of Sexy Singles In Your Area 7 Subject: SUCCESS... dizaa 7 Subject: rsvp-feel better guaranteed 7 Subject: Earn $500 a Week Easily ! 6 Subject: Increase your Penis by 2 to 5 full inches in Weeks. 6 Subject: Earn $2000 Weekly Easily! 5 Subject: good news - accelerates recovery from athletic injury 5 Subject: Bargain Shoes 5 Subject: #Government Loan Program### ryb o q These scripts have to run all on one line, with no carriage returns, in order to work properly. Also, you will need to run these scripts from the directory that you have extracted the UNIX utilities to. This is because some of the files have the same name as Windows utilities, like sort for example. Speaking of sort, which is used is a couple of these scripts, there appears to be about a 2mb size limitation on the content you are trying to sort. It will only be an issue if you log files are around 25mb or larger, since the script is trying to sort on the output of the first grep command. I have sent an e-mail to the developer asking him about this size limitation, since there appears
Re: [Declude.JunkMail] OT: National Do Not Call Registry
If you want a technological solution, put these tones on your answering machine: http://www.scn.org/~bk269/errorbeeps1.wav The automated calling systems will log your number as being disconnected (only one of the three is needed, I forget which) and not call you back. But yes, your cynicism is well founded, with so many powerful special interests, its tough for the normal interests to have a say. Reminds me of how the soda companies lobby for government subsidies for corn so they can pay less for corn syrup. Dan On Friday, June 27, 2003 19:06, Todd Holt [EMAIL PROTECTED] wrote: When will the government listen to the will of the people and just outlaw spam and tele-marketing (with severe enough penalties to deter)? Ooops. I'm sorry. I had brain fart. I wasn't thinking that the lobbyists for keeping spam and tele-marketing around have deeper pockets than the poor users. Combined with the golden rule of capitalism: He who has the gold makes the rules., results in what we have today. I think that the do not call list will result in a new call list worth $$MM. Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Friday, June 27, 2003 6:37 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OT: National Do Not Call Registry More info and stats: http://www.bankrate.com/brm/news/advice/20030627a1.asp The Federal Trade Commission says more than 1,000 people per second are trying to register either online or by phone. In an ironic twist, a technology consulting firm discovered that spam filters, specifically Yahoo's and perhaps others, are blocking many of the confirmation e-mails consumers are supposed to receive to complete their online registration. On Friday, June 27, 2003 12:49, Dan Patnode [EMAIL PROTECTED] wrote: Stops the telemarketers (with some exceptions), debuted this morning: http://donotcall.gov/ More junk stopping info: http://www.obviously.com/junkmail/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Getting Ready to Activate SPAMDOMAINS
Strategy: 1) Create a list (or start with Bill's excellent list) with a small weight, say half of what you use for open relay databases. 2) Increase the weight gradually until you start getting FPs, then back it down a bit 3) Create a second list/test, I call SpamierDomains. When an uncaught spam failed the first SpamDomains list but didn't have enough weight, add it to Spamier. Don't add domains to this 2nd file that are commonly used out of place like hotmail and yahoo. This might look like this: SpamDomains spamdomains d:\IMail\Declude\SpamDomains.txtx 4 0 SpamierDomains spamdomains d:\imail\declude\SpamierDomains.txt x 1 0 Once you're this far, come back with follow-up questions. Dan On Friday, June 27, 2003 13:59, Dan Geiser [EMAIL PROTECTED] wrote: Hi, Again, Would anyone care to comment on my original posting? If my questions are too simple or complex or some place in between or my message is too long or the questions themselves just don't have an answer then please let me know and I'll try and proceed with my current knowledge base. Thanks, Much! Dan Geiser [EMAIL PROTECTED] - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: Declude JunkMail [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 5:02 PM Subject: [Declude.JunkMail] Getting Ready to Activate SPAMDOMAINS Hello, All, I'm getting ready to put SPAMDOMAINS in place on my installation of Declude JunkMail Pro. Before I flip the switch I had a few questions which I was hoping that those who are currently using SPAMDOMAINS could answer... 1) Increase message weight or HOLD? I realize that there are 2 ways, possibly more, that I can actually do something to a message when it's recognized by SPAMDOMAINS. One is to increase the weight by a certain amount, e.g. 20 points, until I'm pretty sure it will fall over my hold weight. Another way to do it would just to HOLD on failure of the SPAMDOMAINS out right. My tendency is to want to just increase the weight somewhat to fall in line with the standard way of doing things, i.e. not HOLDing on any one test, but because I've read on this list that Kami is currently HOLDing I thought maybe that was viable as well. Perhaps I can start out with a weight increase and then move to HOLD later on? Regardless, for those of you who currently have SPAMDOMAINS implemented I'm looking for some feedback as to which way you feel it is best to go. If you fall in the camp who thinks just increasing the weight should be sufficient could you recommend a good point value to increase it by? I'm still using all of the default point values that come with GLOBAL.CFG if that helps. 2) Start out with one entry in SPAMDOMAINS Since I've seen lots of domains bandied about which fit the SPAMDOMAINS bill I was thinking of maybe just starting out with one domain, Hotmail.com, to ease in to how all of this works. Can someone provide me with the entries for spamdomains.txt given the current wisdom on Hotmail.com? 3) What triggers additional entries to spamdomains.txt? For those who are currently running SPAMDOMAINS, what occurence in your spam tuning process triggers the addition of a new entry to spamdomains.txt? Is it just seeing the headers of an obvious spam which makes it through the current filters or are you actively seeking out new potential SPAMDOMAINS all of the time, by searching the HELD queue, etc? 4) Maintaining One Master SPAMDOMAINS List I've seen discussion on here about someone perhaps maintaing one master list of all of the SPAMDOMAINS. Is that currently happening? If so, where can I obtain the official list? If not, is that plan still in the works? 5) Actual Entries to Enable SPAMDOMAINS Just for review I want to make sure I'm planning on implementing it properly. 5a) Add an entry to GLOBAL.CFG which looks something like the following... SPAMDOMAINS spamdomains D:\iMail\declude\JunkMail.SpamDomains.txt x 0 0 If I want to increase the points which SPAMDOMAINS adds to the total weight then I would increase the number in the 5th column (2nd to last column). 5b) Create a file called JunkMail.SpamDomains.txt (without the quotes) and add the entry... hotmail.com If I want I can also add aliases for servers that the Hotmail.com domain might pass through like MSN.COM, etc. 5c) Add an entry in the $default$.junkmail file which looks something like... SPAMDOMAINSWARN or if I want to actually block for all mail which fails the SPAMDOMAINS test I can put... SPAMDOMAINSHOLD Thanks In Advance For Any and All Feedback! Take Care, Dan [EMAIL PROTECTED] This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To
[Declude.JunkMail] International SpamDomains
I have an uncaught spam with an interesting profile: HELO: x-stream.co.za RDNS: m48.net81-66-160.noos.fr FROM: arcticstock.no I'm wondering about a SpamDomains config that looks for mismatches in domains other than com/net/org. It would go beyond individual domains and nail whole countries at a time. With ENDWITH, the entries would look like .za .fr .no But SpamDomains only does CONTAINS, making the likelyhood of mismatch FPs to high (image if the address was [EMAIL PROTECTED]). Is there a way to do this that I'm missing? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: National Do Not Call Registry
Stops the telemarketers (with some exceptions), debuted this morning: http://donotcall.gov/ More junk stopping info: http://www.obviously.com/junkmail/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: National Do Not Call Registry
More info and stats: http://www.bankrate.com/brm/news/advice/20030627a1.asp The Federal Trade Commission says more than 1,000 people per second are trying to register either online or by phone. In an ironic twist, a technology consulting firm discovered that spam filters, specifically Yahoo's and perhaps others, are blocking many of the confirmation e-mails consumers are supposed to receive to complete their online registration. On Friday, June 27, 2003 12:49, Dan Patnode [EMAIL PROTECTED] wrote: Stops the telemarketers (with some exceptions), debuted this morning: http://donotcall.gov/ More junk stopping info: http://www.obviously.com/junkmail/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] time-dependently hold weight
Its been a horrible week, but I need the distraction... I've considered this a few times, every time I prepare to suggest it I remember what happened with my idea to test for long subjects, there just isn't enough uniformity. My concern isn't so much uniformity of technical things like tracking time zones and the like, but rather the way the world spins. A system that penalizes (or rewards) based on when (even if cross referenced when it arrived) would still have to deal with localization. Can a system reliably know a message was sent during daylight/working hours from where it was sent? The only reliable way I can see is if Scott found a way (assuming the recieving server's clock was set correctly) to cross reference the geo code of the senders IP address with the arrival time of the message. BTW, the graph is amazing, how is it made? Dan On Friday, June 27, 2003 17:12, Markus Gufler [EMAIL PROTECTED] wrote: Nachricht Hi spam-fighters, What do you think about a time-dependently hold weight? Maybe this can be helpfull on certain systems (where all users work in the same time zone) to reduce FP's. For further explanation please see the PDF-file located at www.zcom.it/decludeupdater/returncodes.pdf (280 kB). -The red dots are single messages over 24 hours (x) and their weight (y). -The blue line is the average value of all weights in this time range -The yellow line is our current hold weight of 100 points. (consider it 100% if you hold on the default weight of 20 points) Now my suggestion/question: As you can see, our server processes most legit messages between 8:00 AM and 8:00 PM So why not increase the hold weight slightly in this time range and decrease it a little bit on the resting time? (green line) Counting our FP's from the last 20 days and increasing the hold weight during business time from 100 to 110 this will avoid 65% of them. Naturally the increased hold value let pass some more spam messages, but with 225 more delivered spam (that has recieved a weight between 100 and 110 points) from over 14000 hold spam in the last 20 days this is very few. Theoretically we all can create two identical configuration files with 2 different hold weights and switch between this two with a scheduled task. No additional ressources are needed. ...or am I missing something? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Political Spam
I preface this by saying that my techniques are based on studying and understanding spammers and the way they behave. More Sun Ztu than Zen: I've been noticing an increasing number of politically oriented spam, starting after the war with Iraq. The most wanted playing card spam turned into getting those who opposed the war. Since, I've seen anti Bush, pro Bush, and now anti Hillary and pro Hillary. This begs the question, are spammers (as a group) more Republican or Democrat? Maybe the 2010 US Census will have Spammer as an occupation... Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] .biz (followup)
Here's Kami's and one weeks worth of catches, all are BODY CONTAINS. I test/confirm all hard tests, so the second group has not yet been proven: athomerx.biz awesomeviagraprices.biz ayoungeryou.biz bestdealsonline.biz bizminder.biz cantlose-here.biz cheaptrips.biz desires4sex.biz discountbuyers.biz drugcabinet.biz feelgreat-loseweight.biz gettingyounger.biz GETTINGYOUNGER.biz growyoung.biz health-now.biz healthyyoung.biz homerx.biz humangrowthagent.biz ibetterbuy.biz improvetoday.biz lender-search.biz lowcostcanadarx.biz mainroute.biz markmeds.biz medcabinet.biz medgoodness.biz medgoodness.biz MEDICAL.BIZ medicinebox.biz meds2u.biz medsforhealth.biz medtastic.biz mitchmaster.biz myhomedoctor.biz mylowcostmeds.biz mymedicinecabinet.biz nocharge.biz nodoctorvisit.biz onlinediscountbuyers.biz order-this.biz purplehands.biz quickdoctor.biz quickpros.biz reggiesroad.biz reggiesroad.biz rxcabinet.biz smartmall.biz smarttdecisions.biz THEBORDER.BIZ THEBORDER.BIZ todayspecial.biz volume-rx.biz web-notification.biz x10d.biz 4HEALTHSOLUTIONS.BIZ 4unbelievablewealth.biz 9medical.biz bbpromos.biz best-pc-software.biz bestviagraprices.biz bevirusproof.biz bidforbiz.biz capitalbiz.biz cheaptrips.biz ecommerceextra.biz edownline.biz emailoffers.biz emailoffers79.biz emailofferz.biz findyourmeds.biz Gethealthynowhgh.biz goodhealthplace.biz hacking4life.biz happyhealth.biz HEALTH-CONCERNS.BIZ healthmethod.biz homemedicinecabinet.biz hookah1up.biz hormones4u.biz i-buypc.biz imagevillage.biz improvemusclestrength.biz jupitermeds.biz kop982.biz livingbydesign.biz manrx.biz medicinefromhome.biz medicineplace.biz medsforall.biz medsupplier.biz milfs-in.biz moremilespergallon.biz myhomedoctor.biz mymedsfromhome.biz nocharge.biz nomorevirus.biz onlinediscounts.biz onlinesportmortgage.biz Pharmacyfun.biz PostmanExpress.biz purehealthsource.biz responsiblemkting.biz rxfast.biz rx-online.biz sec1001.biz sourceformeds.biz specialone.biz subscriberservices.biz super10corp.biz tenextra.biz THEBORDER.BIZ toplenders.biz trblazer.biz twoextra.biz uscensus.biz us-census.biz virusfreepc.biz we-have-the-best-girls-in-the.biz wewewewe.biz womanrx.biz youngfaster.biz yourhomedoctor.biz yourmedicinecabinet.biz yourmedicinechest.biz --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Fraud Alert
I eventually got 4 copies from 3 IPs, 24.x.x.x plus: 68.82.235.252 81.202.170.237 No relaying. Interestingly, 3 of them got caught. Dan On Wednesday, June 18, 2003 23:24, J Porter [EMAIL PROTECTED] wrote: Ask and ye shall receive... whether you want it or not.. ) ~Header~ Received: from attbi.com [24.131.138.246] by mail.hnb.com (SMTPD32-7.03) id AE3F48EA013A; Wed, 18 Jun 2003 16:48:47 -0500 Received: from h00036d13b375.ne.client2.attbi.com (h00036d13b375.ne.client2.attbi.com [24.131.138.246]) by attbi.com (8.12.5/8.12.5) with ESMTP id itecdf78756 for [EMAIL PROTECTED]; Wed, 18 Jun 2003 18:44:48 -0400 (EST) Message-ID: [EMAIL PROTECTED] From: Arvind Fwpreg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: BestBuy Order #1095619. Fraud Alert. Date: Wed, 18 Jun 2003 18:44:46 -0400 (EST) MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary==_NextPart_000_000F_01C33095.9F84B280 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [24.131.138.246] X-Note: This E-mail was scanned at HNB.COM ISP for spam. X-Spam-Tests-Failed: NOPOSTMASTER X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 339081275 ~~ - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:10 AM Subject: RE: [Declude.JunkMail] OT: Fraud Alert Filter file for BODY your-instant-credit-reporter.org without the quotes. Can some one post the full headers? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail scanned for viruses at HNB.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tar Pitting
I'm intrigued by this idea. During a given minute of time I may get 1000 messages. 1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is spread out. Can this be applied to increase server capacity? If I throttle, at the firewall, the IPs of spammers, will the load on my server be less? Has anyone tried this on a maxed out server? Dan On Sunday, June 15, 2003 16:01, Rifat Levis [EMAIL PROTECTED] wrote: People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tar Pitting
Interesting Scott, I'm not sure I want to do true tarpitting, I want the spam to get through eventually (just in case its not), just way after the legitimate stuff. I use Netscreen firewalls and their technical info says throttling to less than 10kbps risks dropping the connection. The idea would be to slow it down enough to: 1) Give priority to non spam 2) Push spam back in time to momment of low server load 3) Make spammers sending less effecient Would throttling to 15kbps be slow enough to still make a difference? Brian, Alligate looks like a good complement to Declude. Given that it includes features provided by Declude's decode option, do you know if it takes a smaller CPU hit? Does running DECODE OFF and Aligate on take less, more, or about the same load on a server? Thanks! Dan On Wednesday, June 18, 2003 12:25, R. Scott Perry [EMAIL PROTECTED] wrote: I'm intrigued by this idea. During a given minute of time I may get 1000 messages. 1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is spread out. Actually, with true tarpitting, there would be slightly fewer SMTP32.exe and Declude.exe processes (they would only get started after the E-mail was received). The number of SMTPD connections (live TCP/IP connections) would increase, but IMail can technically handle 1,000+ simultaneous SMTPD connections. Can this be applied to increase server capacity? If I throttle, at the firewall, the IPs of spammers, will the load on my server be less? It would be less, assuming that IMail can handle it (and that your firewall can do the tarpitting). I'm not aware of any firewalls that can do true SMTP tarpitting (which requires sending short bits of data occasionally to prevent timeouts), but you could simulate it with throttling. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tar Pitting
Rick, Makes me wonder if spammers cause traffic surges/spikes that slow our servers down and if this would also smooth those spikes down. Suppose a given sending server had 100 copies of a particular message, running only 5 sessions (speculation) at a time, could the sessions be dragged into off peak hours. If the firewall (or Alligator) could be configured to open the flood gates between midnight and 5am, the cues would be empty by the next morning. Dan On Wednesday, June 18, 2003 12:39, Rick Davidson [EMAIL PROTECTED] wrote: I find the idea intriguing as well but if you start to slow down connections wouldnt that just hold TCP connections open longer possibly making fewer connections available on the server? One of the methods of thwarting file sharing sites is to trickle download many files so that others cannot make connections, would this not have the same affect as tar pitting spammers? Especially since the pro spammers send the same spam run through many different servers. Just thinking outloud. Rick Davidson Buckeye Internet Inc www.buckeyeweb.com 440-953-1900 ext: 222 - Original Message - From: Dan Patnode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 3:16 PM Subject: Re: [Declude.JunkMail] Tar Pitting I'm intrigued by this idea. During a given minute of time I may get 1000 messages. 1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is spread out. Can this be applied to increase server capacity? If I throttle, at the firewall, the IPs of spammers, will the load on my server be less? Has anyone tried this on a maxed out server? Dan On Sunday, June 15, 2003 16:01, Rifat Levis [EMAIL PROTECTED] wrote: People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Numeral SP00FING
My .biz seach continues (more later), but I'm now interested in subject tests for words with numbers substituting for letters. A prime example: ST0P Paying T00 MUCH for 1NSURANCE Easy to stop, but its silly to make tests for every word in the dictionary. Anyone have some already assembled? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Fraud Alert
Watch out for this one, the underlying code looks like: href=http://www.your-instant-credit-reporter.org/fraud.html;FONT face=Arial size=2BestBuy.com/fraud_department.html/FONT/A/DIV/BODY/HTML The subject reads: BestBuy Order #1095619. Fraud Alert. The message reads: Dear customer, Recently we have received an order made by using your personal credit card information. This order was made online at our official BestBuy website on 06/19/2003. Our Fraud Department has some suspicions regarding this order and we need you to visit a special Fraud Department page at our web store where you can confirm or decline this transaction by providing us with the correct information. This e-mail address has been taken from National Credit Bureau. Click the link below to visit a special Fraud Department page to resolve the cause of the problem. BestBuy.com/fraud_department.html -- ORDER# 1095619 - STATUS: SUSPENDED ITEMS PURCHASED -- Item No: 73890 CDA-9815 In-Dash CD Player/Ai-Changer Controller Price: $387.65 Qty: 2 Total: $775.3 The order listed above has not yet been processed. The reason for the delay in processing your order is: - UNVERIFIED SHIPPING ADDRESS - Information provided: Shipping 41 WINHAM ST Staten Island, NY 10306 United States phone# 206-337-9843 In our effort to deter fraudulent transactions, we need your help in providing us with the correct information. Your prompt response is needed to avoid any unauthorized charges to your credit card. -- Click the link below to visit a special Fraud Department page to resolve the cause of the problem. BestBuy.com/fraud_department.html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How to stop this...
Perhaps a test, that when there are 2 IPs, sees if they match? Dan On Monday, June 16, 2003 12:57, Bill B. [EMAIL PROTECTED] wrote: You can set up a filter to add a weight for that IP speciffically: HELO 10 CONTAINS 216.220.106.24 Or you could set up a filter to add a weight to any email that uses an IP as its HELO: HELO 10 ENDSWITH 0 HELO 10 ENDSWITH 1 HELO 10 ENDSWITH 2 HELO 10 ENDSWITH 3 HELO 10 ENDSWITH 4 HELO 10 ENDSWITH 5 HELO 10 ENDSWITH 6 HELO 10 ENDSWITH 7 HELO 10 ENDSWITH 8 HELO 10 ENDSWITH 9 Bill -Original Message- From: David Sent: Mon, 16 Jun 2003 22:57:22 +0300 Subject: [Declude.JunkMail] How to stop this... Hi all, Sorry about the subject being so generic but I was not sure how to call the following. I have been seeing the following in the headers of some email: Received: from 216.220.106.24 [218.151.108.224] by mail.heliosfunds.com The first IP is the IP of the mail server. I am not sure how to refer to this but is there a test in JunkMail that tests for this? Thanks, David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] .biz Super List
.biz is getting worse with time. By in large, these are sent from general purpose (dialup and broadband) US based accounts, referencing Asian IPs. To counter this, I've begun harvesting .biz domains from the bodies of captured spam - for use in hard tests. My first day's catch: BODY0 CONTAINSmainroute.biz BODY0 CONTAINSibetterbuy.biz BODY0 CONTAINShealth-now.biz BODY0 CONTAINSdrugcabinet.biz BODY0 CONTAINSorder-this.biz BODY0 CONTAINSmymedicinecabinet.biz BODY0 CONTAINShomerx.biz BODY0 CONTAINSlender-search.biz If Scott adds a test that looks up the IP of links in the message body, we could just block the IPs. Until then, anyone else building such a list? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: SPAM: RE: [Declude.JunkMail] .biz Super List
Over 3000 entries, that IS super:) On Sunday, June 15, 2003 15:30, Kami Razvan [EMAIL PROTECTED] wrote: Hi Dan: We have a super list of all URL's found in the body. It includes .biz and any other URL's in the body. Take a look at it.. ftp://ftp.XYZ/IMail Replace XYZ with the domain of my email address. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Sunday, June 15, 2003 6:18 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] .biz Super List .biz is getting worse with time. By in large, these are sent from general purpose (dialup and broadband) US based accounts, referencing Asian IPs. To counter this, I've begun harvesting .biz domains from the bodies of captured spam - for use in hard tests. My first day's catch: BODY 0 CONTAINSmainroute.biz BODY 0 CONTAINSibetterbuy.biz BODY 0 CONTAINShealth-now.biz BODY 0 CONTAINSdrugcabinet.biz BODY 0 CONTAINSorder-this.biz BODY 0 CONTAINSmymedicinecabinet.biz BODY 0 CONTAINShomerx.biz BODY 0 CONTAINSlender-search.biz If Scott adds a test that looks up the IP of links in the message body, we could just block the IPs. Until then, anyone else building such a list? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Held Spam Management
One other option is not to hold the mail at all. I use these in my action files ROUTETO[EMAIL PROTECTED] Where caught messages are delivered to accounts, one for each domain. There's less control and this may not work if the those getting the spam aren't checking it. Dan On Thursday, June 12, 2003 14:29, Dan Geiser [EMAIL PROTECTED] wrote: Hello, Everyone, First let me say thanks to all who responded to my e-mails late yesterday. It helped clarify things for me regarding SPAMDOMAINS and also alternatives to per domain whitelisting. On a separate topic, I'm curious to know how everyone handles the spam which makes it into the imail\spool\spam directory. My current implementation of Declude JunkMail Pro is enabled for only 5 domains. A couple of those domains have only been active for a week. We have about 100 domains on our IMail server so I can't imagine what it's going to be like when I roll this out on a large scale. It's been 45 days since we bought our copy of Declude JunkMail and so far we have accumulated 23,236 files in the spam directory. Am I correct that each message that was caught has 2 files representing it, i.e. 23,236 files is actually 23,236 / 2 = 11,618 spam message caught? Assuming that's right it looks like we're holding about 258 spams a day. Which I'm sure is not much compared to some out there. Unfortunately I don't have time to monitor the spam directory every day so if a few days go by for me then wading through all of those messages to check for false positives becomes quite a chore. And like I said this is only for 5 domains. I guess, what I'm looking for is hints for handling all of the files which are filtered out by DJM? I've been using Spam Manager to peruse the spam directory. I'm also planning on setting up a clean-up task which will delete any files older than 90 days just so my hard drive doesn't fill up. I'm guessing that one route I could take is to take a DELETE action on spam which has a particularly high weight. Given the DJM default weight is there any weight which people have decided is a good DELETE weight. Is there anything else I'm not thinking of? Thanks In Advance, Dan This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamIPs Test Idea
Bill, Thats a good thing to keep in mind, however it wouldn't compare IP to MAILFROM, it would compare only IP to RDNS. It would only check for forged RNDS, not carring if you use @webmail.us. Here's an example from Road Runner: 24.88.0.13ae88-0-013.sc.rr.com Someone on this IP sending with their own domain (or even from their own email server), will still pass: 24.88.0.0/16 rr.com Dan On Sunday, June 8, 2003 11:49, Bill B. [EMAIL PROTECTED] wrote: I'm not sure that I agree with this test. I use Earthlink DSL at home, and I never send out emails using my @earthlink.net address. I always use my personal or business address, neither of which are provided by Earthlink. I'd bet that a large percentage of DSL, Cable and Dial-up customers do not use the email account that their ISP provides, but they use their ISP's outgoing mail server because they are forced to due to port 25 filtering. Bill -Original Message- From: R. Scott Perry Sent: Sun, 08 Jun 2003 09:36:56 -0400 Subject: Re: [Declude.JunkMail] SpamIPs Test Idea Another idea for a new test, a close cousin to the SpamDomains test: Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com (SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700 This message came from a road runner IP. How about a test where we build a list of CIDRs for a given ISP, then match it with all the domains those IPs use. In this case, the file entry would be (I know rr doesn't use .net) 24.208.0.0/14rr.com rr.net In this case, it would match the IP, look for both RR entries, find styggen.com and fail the message. That's a pretty neat idea. That would work well for ISPs that don't allow their customers to run a mailserver, as it would provide an easy way to catch (most) mail from spammers on their networks, while allowing the legitimate E-mail through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamIPs Test Idea
Thanks for the question Bill, Looking back at my original posting, I showed RNDS, then said all the domains those IPs use. The intent is to ignore MAILFROM (which Spam Domains already checks) and compare only IP with RDNS. Scott, Would that still be effective? Dan On Sunday, June 8, 2003 11:49, Bill B. [EMAIL PROTECTED] wrote: I'm not sure that I agree with this test. I use Earthlink DSL at home, and I never send out emails using my @earthlink.net address. I always use my personal or business address, neither of which are provided by Earthlink. I'd bet that a large percentage of DSL, Cable and Dial-up customers do not use the email account that their ISP provides, but they use their ISP's outgoing mail server because they are forced to due to port 25 filtering. Bill -Original Message- From: R. Scott Perry Sent: Sun, 08 Jun 2003 09:36:56 -0400 Subject: Re: [Declude.JunkMail] SpamIPs Test Idea Another idea for a new test, a close cousin to the SpamDomains test: Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com (SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700 This message came from a road runner IP. How about a test where we build a list of CIDRs for a given ISP, then match it with all the domains those IPs use. In this case, the file entry would be (I know rr doesn't use .net) 24.208.0.0/14rr.com rr.net In this case, it would match the IP, look for both RR entries, find styggen.com and fail the message. That's a pretty neat idea. That would work well for ISPs that don't allow their customers to run a mailserver, as it would provide an easy way to catch (most) mail from spammers on their networks, while allowing the legitimate E-mail through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamIPs Test Idea
Yes Bill, HELO not RDNS (that keyboard virus sure gets around). I've been running a BadIP list for some time that maps the CIDRs of many ISPs (broadband ranges in particular). With 2500 entries, its on the heavy side but when a new range appears, the spammers find it and tell me about it. SpamIPs would essentially be a smart version of this. Interesting, comparing RDNS to HELO! Essentially, every comparison test is battling the same problem, forged headers. Spammers have software with fields for typing in all these things and they plug away. If we total them, the number of possible comparisons is awesome: MAILFROM vs HELO(Spam Domains) IP vs HELO(SpamIPs) RDNS vs HELO RNDS vs MAILFROM IP vs RDNS IP vs MAILFROM I like the first 3, Scott can pick the one(s) he likes best. :) Dan On Sunday, June 8, 2003 12:44, Bill B. [EMAIL PROTECTED] wrote: Ahh, I get it. But it would have to compare the REMOTEIP to the HELO string, not to the REVDNS. Because styggen.com in the header below indicates the HELO string sent by the remote mail server, rather than the REVDNS value. Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com It would be difficult to maintain an accurate list of ISP CIDRs though. So what about a variation of this idea where the test would force REVDNS and HELO strings to contain a partial match. For example, an entry like this... ..rr.com .rr.net would required a REVDNS that contains .rr.com, to use a HELO string containing either .rr.com or .rr.net. Or perhaps the other way around. Bill -Original Message- From: Dan Patnode Sent: 08 Jun 2003 12:47:11 -0700 Subject: Re: [Declude.JunkMail] SpamIPs Test Idea Thanks for the question Bill, Looking back at my original posting, I showed RNDS, then said all the domains those IPs use. The intent is to ignore MAILFROM (which Spam Domains already checks) and compare only IP with RDNS. Scott, Would that still be effective? Dan On Sunday, June 8, 2003 11:49, Bill B. [EMAIL PROTECTED] wrote: I'm not sure that I agree with this test. I use Earthlink DSL at home, and I never send out emails using my @earthlink.net address. I always use my personal or business address, neither of which are provided by Earthlink. I'd bet that a large percentage of DSL, Cable and Dial-up customers do not use the email account that their ISP provides, but they use their ISP's outgoing mail server because they are forced to due to port 25 filtering. Bill -Original Message- From: R. Scott Perry Sent: Sun, 08 Jun 2003 09:36:56 -0400 Subject: Re: [Declude.JunkMail] SpamIPs Test Idea Another idea for a new test, a close cousin to the SpamDomains test: Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com (SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700 This message came from a road runner IP. How about a test where we build a list of CIDRs for a given ISP, then match it with all the domains those IPs use. In this case, the file entry would be (I know rr doesn't use .net) 24.208.0.0/14rr.com rr.net In this case, it would match the IP, look for both RR entries, find styggen.com and fail the message. That's a pretty neat idea. That would work well for ISPs that don't allow their customers to run a mailserver, as it would provide an easy way to catch (most) mail from spammers on their networks, while allowing the legitimate E-mail through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail
Re: [Declude.JunkMail] spamdomains list
Markus, I've been giving the subject of @'s in spamdomain tests some thought. With the original one column test, there was no way an @ was going to be in the RDNS so using it meant automatic failure. With the new two column format, this should now work: @tin.itTin.it @tin.itTuttopmi.it @tin.itFlexmail.it The only drawback is that this is not as flexible (forgiving) as say Tin.it Tuttopmi.it Scott, would you confirm? Dan On Thursday, June 5, 2003 9:41, Markus Gufler [EMAIL PROTECTED] wrote: Thanks Andy. Here I've some spamdomains for those who has italian domains on the server: tiscali.it tiscalinet.it tiscalinet.it tiscali.it tin.it fep0 libero.it tin.it virgilio.ittin.it iol.it libero.it supereva.it freemail.itsupereva.it cicciociccio.itsupereva.it mybox.it supereva.it email.it webmessenger.it Here I've also a question: It seems that legit mails with senderadresses containing @tin.it can be delivered from smtp-servers with the following revdns records: Tin.it Tuttopmi.it Flexmail.it Because both tuttopmi.it and flexmail.it has hostnames beginning with fep0x. I've added this as valid alias for tin.it Will this work? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, June 05, 2003 6:25 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] spamdomains list Here two big international ones: t-online.de t-online.com wanadoo.fr Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Friday, May 30, 2003 01:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] spamdomains list Here is my list thus far: amazon.com aol.com apple.com att. attbi.com bellsouth.net charter.net comcast. compuserve.com cox. earthlink. excite.com gte. hotmail.com juno.com .untd.com lycos.com microsoft.com mindspring. msn.com .hotmail.com netscape. psi. qwest. .rr.com verio. verizon. .bellatlantic. yahoo.com Bill - Original Message - From: Scott MacLean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 30, 2003 9:49 AM Subject: Re: [Declude.JunkMail] spamdomains list If someone has a comprehensive spamdomains listing they are happy with,could they post it for others to analyze/use? At 10:36 AM 5/30/2003, Bill Landry wrote: One comment. Instead of having: yahoo.com yahoo.ca yahoo.com yahoo.de yahoo.com yahoo.dk yahoo.com yahoo.es yahoo.com yahoo.fr yahoo.com yahoo.it yahoo.com yahoo.no yahoo.com yahoo.se yahoo.com yahoo.co.jp yahoo.com yahoo.co.uk yahoo.com yahoo.com.ar yahoo.com yahoo.com.au yahoo.com yahoo.com.br yahoo.com yahoo.com.cn yahoo.com yahoo.com.hk yahoo.com yahoo.co.kr yahoo.com yahoo.com.mx yahoo.com yahoo.com.tw yahoo.com Why not just consolidate this down to: yahoo.yahoo.com Bill - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 30, 2003 7:20 AM Subject: [Declude.JunkMail] spamdomains list Attached is a list of spamdomains and their coresponding aliases that I've compiled thus far. Anybody want to comment or expand upon this? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This
[Declude.JunkMail] .biz
I take back what I said, I do have a low weighted test for .biz based links: BODY0 CONTAINS.biz/ Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] spamdomains list
Thanks for the clarification. In that example then, the way to go is: @abc.comxyz. :) On Friday, June 6, 2003 16:12, Bill Landry [EMAIL PROTECTED] wrote: Those should work fine. What will not work is when the left part is listed more than once with different right parts, the first match win and the others will never be checked. For example, abc.com will always only match the first line item here: @abc.comxyz.com ---(Match and looks no further down the list) @abc.comxyz.net @abc.comxyz.org Your list below should work just fine. Bill - Original Message - From: Dan Patnode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 06, 2003 3:33 PM Subject: Re: [Declude.JunkMail] spamdomains list So then these also won't work: @2die4.com outblaze.com @accountant.com outblaze.com @adexec.com outblaze.com @africamail.com outblaze.com @allergist.com outblaze.com @alumnidirector.com outblaze.com @archaeologist.com outblaze.com @arcticmail.com outblaze.com @artlover.com outblaze.com @asia.com outblaze.com I'll take the @'s out Dan On Thursday, June 5, 2003 13:33, R. Scott Perry [EMAIL PROTECTED] wrote: @tin.itTin.it @tin.itTuttopmi.it @tin.itFlexmail.it Scott, would you confirm? I'm not sure this will work. The problem is that when Declude JunkMail sees the line @tin.it Tin.it, if the reverse DNS is mail.Tuttopmi.it, Declude JunkMail will fail the test (even though it matches the next line, Declude JunkMail won't know that that should cancel out a previous line that failed). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Processes Server Load
Kami, I'm running ten IP4r tests, referred to in my original email as an external DB query. There seems to be a descrepency between this as a cause and Scott's answer: the Declude process should not show high CPU usage in this case. Declude uses the Sleep() command, which gives up CPU cycles to other programs (and will prevent the Task Manager from showing CPU usage in Declude during idle times, such as when Declude JunkMail is waiting for an external or DNS-based test to complete). Assuming we're all talking about the same thing, Declude continues to run as a process waiting for replies from IP4r requests but does not consume much CPU time while doing so. Does pulling out IP4r tests during an episode show a immidiate decline in CPU use? Does anyone know how the people hosting the IP4r tests feel about us slamming them with queries? Suppose I'm cruising along with 20,000 queries a day, then jump to 500,000 over a few weeks, surely that makes an impression somewhere? Is there a point were we should ask about doing more? Thanks Dan On Wednesday, June 4, 2003 1:33, Kami Razvan [EMAIL PROTECTED] wrote: Hi Dan: We had a similar problem. I posted a couple of messages regarding this very issue. We were having CPU at 100% for minutes.. in one case when a mail list hit our server with a lot of users receiving the message at the same time the CPU was at 100% for almost an hour. We could not do anything... Finally the Declude processes disappeared and all was back to normal again. What I noticed was the cause more than anything else was the IP4r tests. Declude appears to be fast in filtering and everything that it does. The IP4r tests are a different story and naturally out of Declude hands. We had a lot of them and by taking them off it brought things to normal. I stated this in an earlier posting- we are not doing all of our IP4r tests in IMail version 8. It works much faster and since it caches it seems like it works great. We have about 60 IP4r tests (majority of what is listed in Declude/junkmail/manual.htm site. We will take some off and add others as we find their effectiveness but for now we are using a lot of them and no problem. I am interested to see if this helps you if you try it. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Tuesday, June 03, 2003 9:36 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude Processes Server Load We added about 350 users to our 2000+ user dual server configuration in the last week and were doing pretty well until this afternoon. Suddenly the CPU load graph stopped looking like its normal Donky Kong video game simulation (up and down) and more resembled a 100% highway with a few dips. Declude processes were taking quite a while to clear before finishing, to be replaced by another. I pulled out some multi thousand line tests and it nary made a dent. Just before bringing our 3rd server into the fold, things quieted down. While I've already ordered 2 new dual processor 1U's, I want to par down (if not eliminate) the variables invovled: 1) If an external DB query slowed things down, delaying each Declude process, would Declude still show high CPU consumption while waiting and would the graph still be pegged? If not, is there any situation external to my server that would? 2) Is it possible for Declude to be consuming CPU cycles while idling for some other reason? 3) If something else is running in the background, eating cyles, does Declude 'look' like its working harder? 4) If a user (or users) all received masses of attached files (say multi megabyte), would this slow things down in the way described? 5) When a new client reports having 30 users, whats the best way to decipher if this is the case? Is there a log analyzer that inventories unique addresses (understanding that 1 user can have many addresses). Thanks! Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Processes Server Load
Scott, The servers in question are not [yet] running Declude Virus so what happened should be a purely Declude JunkMail question. With as lean as Declude is, looks like the only way to test this is in the moment. During yesterdays moment, it was tuff to sit by turning off one test at a time, to see which it was, while clients were waiting for email. Is there a way to load test a server, generating activity across one, some or all tests to find bottle necks? The new servers will hopefully make it less likely to happen again but that will also hinder understanding. I'll just have to get more clients to load them down with. :) Thanks Dan On Wednesday, June 4, 2003 5:07, R. Scott Perry [EMAIL PROTECTED] wrote: Just before bringing our 3rd server into the fold, things quieted down. While I've already ordered 2 new dual processor 1U's, I want to par down (if not eliminate) the variables invovled: 1) If an external DB query slowed things down, delaying each Declude process, would Declude still show high CPU consumption while waiting and would the graph still be pegged? If not, is there any situation external to my server that would? No -- the Declude process should not show high CPU usage in this case. 2) Is it possible for Declude to be consuming CPU cycles while idling for some other reason? No. Declude uses the Sleep() command, which gives up CPU cycles to other programs (and will prevent the Task Manager from showing CPU usage in Declude during idle times, such as when Declude JunkMail is waiting for an external or DNS-based test to complete). 3) If something else is running in the background, eating cyles, does Declude 'look' like its working harder? Not that I am aware of. 4) If a user (or users) all received masses of attached files (say multi megabyte), would this slow things down in the way described? It could. However, in this case, the main CPU usage would be Declude Virus decoding the attachments. Even so, it should take a lot of large files to see 100% CPU usage for an extended period of time. 5) When a new client reports having 30 users, whats the best way to decipher if this is the case? Is there a log analyzer that inventories unique addresses (understanding that 1 user can have many addresses). In this case, you may want to try our free Domain Lister tool (at http://www.declude.com/tools ), which you can run from a command prompt as domlist -list, which will (among other things) list all the users/aliases for a domain. It doesn't show the count, however. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Stats on .biz, .us?
I played with a content body test for .biz/ and had FPs in no time. You can play with a low weight test with these, but their use will only increase with time. I treat them the same as .net/.org/.com, one [painfully slow] iteration at a time. Dan On Wednesday, June 4, 2003 6:19, Kami Razvan [EMAIL PROTECTED] wrote: Message Hi; Is anyone keeping track or have any stats on the % of spam in: .biz .us domains? From what I see it appears .biz and .us type domains have a higher probability of being SPAM as a percentage of legitimate emails with those domains. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Processes Server Load
Thats interesting, I upgraded both of the problem servers to 1.70 two days (about 36 hours) before this hit. I'm going to see if I can switch back to 1.69iX to see if there is a difference. Dan On Wednesday, June 4, 2003 14:50, Frederick Samarelli [EMAIL PROTECTED] wrote: I have noticed that using the v1.65 I never see Declude use more the 45% CPU. Using 1.70 Beta I see Declude Max the CPU's 100% Has anyone else seen the same. Fred - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 4:36 PM Subject: Re: [Declude.JunkMail] Declude Processes Server Load Assuming we're all talking about the same thing, Declude continues to run as a process waiting for replies from IP4r requests but does not consume much CPU time while doing so. That is correct. It should use very, very little CPU time while waiting for the results to come back. Does pulling out IP4r tests during an episode show a immidiate decline in CPU use? It shouldn't cause a noticeable decline in CPU use -- I can't explain Kami's results. Does anyone know how the people hosting the IP4r tests feel about us slamming them with queries? You're not. Specifically, they will see the same number of queries whether you are running IMail v8's anti-spam, Declude JunkMail's, or some other anti-spam solution. The reason for this is that your local DNS server will cache the results. Suppose I'm cruising along with 20,000 queries a day, then jump to 500,000 over a few weeks, surely that makes an impression somewhere? Is there a point were we should ask about doing more? There are some spam databases that request that heavy users (typically 100,000+ E-mails/day) do zone transfers (downloading the DNS data a couple times a day). However, if 80% of the lookups are cached, you're talking about 20,000 queries hitting the spam database for every 100,000 E-mails. The root DNS servers are able to handle up to tens of thousands of queries every second; DNS is very efficient. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude Processes Server Load
We added about 350 users to our 2000+ user dual server configuration in the last week and were doing pretty well until this afternoon. Suddenly the CPU load graph stopped looking like its normal Donky Kong video game simulation (up and down) and more resembled a 100% highway with a few dips. Declude processes were taking quite a while to clear before finishing, to be replaced by another. I pulled out some multi thousand line tests and it nary made a dent. Just before bringing our 3rd server into the fold, things quieted down. While I've already ordered 2 new dual processor 1U's, I want to par down (if not eliminate) the variables invovled: 1) If an external DB query slowed things down, delaying each Declude process, would Declude still show high CPU consumption while waiting and would the graph still be pegged? If not, is there any situation external to my server that would? 2) Is it possible for Declude to be consuming CPU cycles while idling for some other reason? 3) If something else is running in the background, eating cyles, does Declude 'look' like its working harder? 4) If a user (or users) all received masses of attached files (say multi megabyte), would this slow things down in the way described? 5) When a new client reports having 30 users, whats the best way to decipher if this is the case? Is there a log analyzer that inventories unique addresses (understanding that 1 user can have many addresses). Thanks! Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelist blacklist problem
Tommi, There seems to be a feature for this built into Imail, but as usual, tests outside of Declude aren't really useful. I got into trouble last week when the default setting bounced a non spam. Dan On Tuesday, May 27, 2003 5:50, Tommi Penttinen [EMAIL PROTECTED] wrote: At 08:54 26.05.2003 -0400, you wrote: I seen one big problem with the whitelist users. If block some spam with rules and blacklist that's work fine but if they send to lot of people the spam mail and one user is on whitelist user then after that it whitelist the spam email. How to block this problem? Unfortunately, that's a problem inherent with SMTP E-mail -- it's possible for anyone (including a spammer) to send one copy of an E-mail to many recipients, each of whom is expected to receive an identical copy of the E-mail. Scott, Can you make in future declude some limited to many E-mail recipments ? Tommi. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Q: help with fixing client-side?
I have some insight on the date issue. Macs tell time by counting the amount of time since a date in 1903 (something to do with the Wright Brothers), used as time zero. It makes them automatically y2k savvy, but it also means that when a particular machine's been around long enough for the clock battery to die, they reset to time zero (1903). Dan On Friday, March 21, 2003 10:24, Joseph Acac [EMAIL PROTECTED] wrote: What follows is the header from an email sent from a valid account to another valid account, here at UCD. The recipient was concerned that this message would be tagged as 'consistent with spam' and/or 'bad headers'. My thoughts were that perhaps its because the user is on an older Macintosh, running an old version of Quick Mail, which perhaps doesn't follow standard email protocol/form? Any ideas? Thanks, joe X-POP3-Rcpt: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Received: from salzburg.ucdavis.edu (salzburg.ucdavis.edu [169.237.104.162]) by orvieto.ucdavis.edu (8.11.6/8.11.0/IT4.6.2) with ESMTP id h2L2M1p20970 for [EMAIL PROTECTED]; Thu, 20 Mar 2003 18:22:01 -0800 (PST) Received: from primate.ucdavis.edu (blackhole.primate.ucdavis.edu [169.237.80.10]) by salzburg.ucdavis.edu (8.11.6/8.11.0/virus-scan-4.0.1) with ESMTP id h2L2Lwd08932 for [EMAIL PROTECTED]; Thu, 20 Mar 2003 18:21:59 -0800 (PST) Received: from 169.237.80.51 [169.237.80.51] by primate.ucdavis.edu (SMTPD32-7.13) id A7451A730278; Thu, 20 Mar 2003 18:21:57 -0800 Date: 20 Mar 03 18:30:01 -0800 From: Alice Tarantal [EMAIL PROTECTED] Subject: RE: Pilot call To: John Capitanio [EMAIL PROTECTED] X-Mailer: QuickMail Pro 1.5.4 (Mac) X-Priority: 3 MIME-Version: 1.0 Reply-To: Alice Tarantal [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Message-Id: [EMAIL PROTECTED] X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c014020e]. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c014020e]. X-RBL-Warning: WEIGHT10: Weight of 11 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [169.237.80.51] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by orvieto.ucdavis.edu id h2L2M1p20970 Joseph C. Acac CNPRC University of California at Davis [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spaced Out
A new spammer technique, though he still managed to fail: mailfromSTRICT MAILFROM HELOBOGUS SouthAmerica Asia SPAMHEADERS :) U N I V E R S I T Y D I P L O M A S O b t a i n a p r o s p e r o u s f u t u r e , m o n e y e a r n i n g p o w e r , a n d t h e a d m i r a t i o n o f a l l . D i p l o m a s f r o m p r e s t i g i o u s , n o n - a c c r e d i t e d u n i v e r s i t i e s b a s e d o n y o u r p r e s e n t k n o w l e d g e a n d l i f e e x p e r i e n c e . N o r e q u i r e d t e s t s, c l a s s e s , b o o k s , o r i n t e r v i e w s . B a c h e l o r s , m a s t e r s , M B A ,a n d d o c t o r a t e ( P h D ) d i p l o m a sa v a i l a b l e i n t h e f i e l d o f y o u r c h o i c e . N o o n ei s t u r n e d d o w n . C o n f i d e n t i a l i t y a s s u r e d . C A L L N O W t o r e c e i v e y o u r d i p l o m a w i t h i n d a y s ! ! ! 1-817-740-5673 C a l l 2 4 h o u r s a d a y , 7 d a y s a w e e k , i n c l u d i n g S u n d a y s a n d h o l i d a y s . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: * [Declude.JunkMail] Declude JunkMail v1.68 (beta) released
Kami, I requested this. I see many spam and more importantly, spam thats not getting caught by other tests, with exceptionally long subject names, often with ten words or more. This idea is, of course, completely untried/untested, but my hopes are high. Dan On Thursday, March 20, 2003 3:23, Kami Razvan [EMAIL PROTECTED] wrote: Hi; I am curious what is the rational for using LongSubject test. Based on what I see SPAMers are using shorter and shorter subject lines and these days, for the most part, are trying to be less and less descriptive... The example used was for 60 characters.. This email announcing release of 1.68 had over 60 characters.. All it takes is for a list to be replied to and this test will be triggered. I am curious as to why this test could be found useful? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 19, 2003 8:14 PM To: [EMAIL PROTECTED] Subject: Re: * [Declude.JunkMail] Declude JunkMail v1.68 (beta) released I personally would like to see some examples and more details on how to implement new test when you email a notice like this announcing them. That's what this list is for. :) The nonenglish test type will detect E-mails that are not in English (specifically, ones that are using foreign characters in the Subject: header). It can be defined in the global.cfg fileas: NONENGLISH nonenglish * * 1 0 The subjectchars and subjectspaces tests work by counting the number of characters in a subject and the number of spaces, respectively. The test definition will define how many characters or spaces must appears before the test will be triggered. So the following tests would catch E-mail with a subject greater than 60 characters, and one with more than 15 spaces: LONGSUBJECT subjectchars 60 * 3 0 SUBJECTSPACES subjectspaces 15 * 3 0 Finally, the dnsbl test type will let you use any type of DNS-based spam test, aside from the current ip4r and rhsbl style tests. This likely won't be useful until future tests make it worthwhile. A sample would be: SOMEHELOTEST dnsbl %HELO%.bl.example.com 127.0.0.3 5 0 -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Comments Test
I've seen a newsletter with 27 comments (motely fool), but there seems to be a sweet spot between 10 and 20. Just make sure you use it as a weighted test. I'm expecting the rationale configuration that works with html counting to also work with the new subject count tests, for similar reasons. Dan On Thursday, March 20, 2003 14:20, Darrell LaRock [EMAIL PROTECTED] wrote: For the comments test has anyone found an acceptable value that seems to trap a lot of spam? Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Good ISP?
I've decided, for moral and blacklist avoiding reasons to switch from XO, an ISP now friendly to spammers. Are there many good ISP left that I can switch to? Below are all the ISPs I've confirmed profesional spammers being hosted on with dedicated IPs. Multiple entries indicate multiple spammers. Below that is Spam Haus' list. My oppologies for mass mailing so much content, but I think it is valuable to the cause. Please cut off the lists if replying: Thanks! Dan 186k 3 Jane 3WCorp 3WCorp 4q LLC Abovenet AC_ESS RESOURCE SERVICE Aesir AGIS AIA AITT Music Inc Alpha-Omega Anything Email, Inc Aptimus Inc Argent Investment ATT WorldNet ATLIGHTSPEED AVH Communications above adcnap adcnap adcnap ai aibusiness aibusiness aibusiness alchemy alchemy alchemy aleron american-telesis appliedtheory aschwebhosting atlantic atlightspeed att att att worldnet att worldnet attcanada.ca australia avh communications avh communications avh communications avh communications Bay Com_uters Beanfield Technologies Bell Canada BestNet BestNet Broad River Communications Broadband Highway BroadbandONE Broadwing Communications barak.il bayarea bblabs bellsouth bellsouth broadspire broadspire broadspire broadspire broadspire broadspire broadwing broadwing broadwing California Regional Internet CBB CBB CBB CBB CBB CBB IN CERFnet CERFnet Cogent Communications Commecial Web Page Cube Computer Corporation Custom Offers CW Cyberfuse Technologies Cyberfuse Technologies c1.ca c1.ca c1.ca c1.ca cable wireless cais cais cais cais cais cavecreek cavecreek ccom ccom cerf cerf chinacomm.cn ciberlynx ciberlynx ciberlynx ciberlynx ciberlynx ciberlynx ciberlynx ciberlynx ciberlyxn cisdc city-guide cogent cogentco cogentco cogentco cogentco cogentco conxion covad covesoft cpus1 cw cw cw cwie cwie cybercon cybercon cybercon cybercon cybercon DE DEBT MANAGEMENT ASSOCIATE Digital Access Systems DSGI DST Group Inc Durelon Corp datapipe datapipe datapipe datapipe deltanet deltanet dialtone ECOCOM TELECOMMUNICATIONS Edge Connections Electronic Network Holding Inc Entry Inc. Epana Networks Epoch Networks Euniverse EuroBackBone Europa Global Investments Everyones Internet Everyones Internet Everyones Internet Executive PC, Inc. Exodus Exodus Exodus Exodus Exodus Extra e-development e.spire Communications, In e2 Communications eli eli eli eli eli eli eli eli equiptd europaglobal europaglobal europaglobal exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus exodus Family Serv Agcy Fastcolo FORWARD Free Yankee fdn fdn fdn fdn fishy, range needs more info fnsi freeyankee freeyankee Giant Rewards, Inc Giant Technologies Global Crossing Global Crossing genuity genuity genuity genuity genuity genuity genuity ggn gt.ca HarvardNet Harvest Marketing Highstakes Marketing PL Hong Kong Hong Kong Hooked Inc hiflightinternet highspeedholdings highspeedholdings highspeedholdings highspeedholdings highspeedholdings highspeedholdings home.eircom hooked inc hostremote hostremote ICOnetworks INTERBUSINESS Inforonics, Inc Infracnet Interliant Interliant Interliant Internap Network Services Internetive Interop Show Network IRIDES, LLC Irvine IDC ibm idt inflow inflow infolink infolink infolink infolink infolink infracnct integratedmar interbusiness.it/ interbusiness.it/ interbusiness.it/ interbusiness.it/ internap internap internap internap internap internap internap internap internap internap internap internap internap internap internap internap internap intersatx intnet iWay Broadband JoeTek John Mehr jtel jtel Karin Sample LL Importating Services Level 3 Level 3 Level 3 Logic Webhosting Lynch International level 3 level3 level3 level3 level3 level3 level3 level3 level3 level3 level3 level3 level3 level3 level3 level3 long shot test MECH POST Media Unlimited/BAY9 Membership Management Minerva Network System Minerva Network Systems Mzima Networks Mzima Networks mach10hosting max4eu maxim maxim media3 mindsharedesign NationalNet NationalNet Naviant Naviant Navisite NETLIMITED Neopolitan Networks NetSetGo Network Commerce, Inc Network Commerce, Inc Network Operations Center Inc Neucom / CandidHosting Neucom / CandidHosting Neucom / CandidHosting Neucom / CandidHosting Neucom / CandidHosting Neucom / CandidHosting Neucom / CandidHosting Neucom / CandidHosting New Edge Networks New Horizons NextLevel Non-Linear Creations NYC-IP net access net4you netagomi netatlantic netaxs netaxs netgaintechnology netsetgo netTelcos nettaxi network60 network60 newedgenetworks newedgenetworks newsouth nyc-ip nyc-ip Orange Internet oc3networks old deltanet oleane Pac Bell PanAmSat Patuxent Publishing PB Internet PB Internet PB Internet Pinnacle On-Line Primary Network Primary Network Prime Internet Network Pro Hosters pacbell pacbell pacbell pajo pajo peer1 peer1 phoenix prohosters prostepinc prostepinc Quixotik, Inc Qwest Cybercenters qwest qwest qwest qwest qwest qwest qwest qwest
Re: [Declude.JunkMail] DNS server returned server failure for
John, I've been running around in circles chasing this problem. Basically its an error that your DNS server doesn't understand well enough to give the correct code for. The problem then is that Declude misses out on any kind of DNS test opportunity because as Scott explains it, reacting to the failure itself would mean that a genuine failure would cause FPs. I would love a solution. Dan On Tuesday, March 11, 2003 11:06, John Tolmachoff [EMAIL PROTECTED] wrote: What is the best way to diagnose/investigate these: 03/11/2003 11:04:05 Q33230c6100e83de9 WARNING: DNS server 67.94.227.35 returned a SERVER FAILURE error for MX or A for John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] savvis.net
Here are the Spam Huas savvis.net entries, all /32's: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL5743 http://www.spamhaus.org/sbl/sbl.lasso?query=SBL5722 http://www.spamhaus.org/sbl/sbl.lasso?query=SBL5721 http://www.spamhaus.org/sbl/sbl.lasso?query=SBL3485 On Tuesday, March 11, 2003 12:45, Madscientist [EMAIL PROTECTED] wrote: Hmmm... just noticed that savvis.net was in the bottom of that list. (I know it's odd replying to myself - did it to keep the thread...) I have first hand experience with their zero tollerance policy. I'd be curious to understand the source of that listing. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Madscientist | Sent: Tuesday, March 11, 2003 3:18 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Good ISP? | | | Recommend switching to Savvis/Bridge. They have been our primary for | years and they are awesome. | | hth, | _M | --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Good ISP?
Should have figured there were ISPs on this list. Let me get more specific on needs ((please reply off list. Non ISPs, let me know if you want to see the results)): We have our own servers and do hosting for ourselves and several hundred other businesses and people. We need about 5U of space, so half rack or less is preferable. 2mb expected throughput. Please provide the following: 1) Space increments (Us/rack) 2) Speed increments 3) Physical location(s) 4) Price schedules (with breakdowns) 5) Up-time guarantee/SLA, relating to connectivity and power (AC) 6) Spammer hosting policy Thanks! Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Charter Communications CIDRs?
Does anyone know how to get a complete listing out of arin.net? I want to get a comprehensive list of Charter Communications CIDRs (for soft tests, not blacklisting) and ARIN stalls out with: # Query returned 256 results. Some results may have been truncated. # Try refining your query or use flags to be more specific. A complete list or way around the 256 cap would be appreciated. Thanks Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] A Question of Ethics
All, As I read your replies, 1984 plays on Showtime (I kid you not!). The main character just read a printed letter (prehistoric email) and promptly burned it in his desk side incinerator. Thank you for your thoughtful, candid, and emphatic responses. If I may wax philosophic (and Socratic), what we are dealing with is human nature and our new found ability to do things we may have wanted to do but lacked the technology. What makes 'stolen' web time or email time (or instant messenger time) different from time spent smoking by the back door or chatting is that our technology allows us to track, store, and most importantly, tally it up. As trackers, storers, and talliers, we facilitate this. Ethics asks but one question: should we? To this question, you have surprising and valuable answers. The judgment of a tool cannot be separated from its uses, so what are its uses. Employers own the computers, the software, the network backbone, the bandwidth, and the employees time; given up in exchange for the employers money. The employer then, owns the 'right' to do that which and have done with what they wish. But there is a line. Imagine a classroom full of kids whispering to one another. Now imagine that instead, they are passing notes. Now imagine they all have laptops that communicate through school owned networks (say 802.11). Kids have always been passing notes and teachers have always been catching them, some of them, once in a while. The difference with laptops and software, however, is that the school monitors ALL messages and catches ALL inappropriate notes, down to the smallest whisper. What makes 1984 so rediculous is not that so much snooping would happen, its that so many jobs/people/energy would be devoted to the task. With technology, that limitation melts away. In my particular example, the employer very likely knew what was going on (like the 'bad' kid in class). He was probably a gross time waster deserved to be fired. My concern isn't with him, its with everyone still there. Suppose that every other employee finds out that the fired employee was in part (even the smallest part) caught because of email he expected to receive that instead went to management. What does it do to their psyche's? My greatest fear is my intelligence being used to hurt others. I push my Declude configuration to the edge of perfection and beyond so I can beat the spammers and while this is no Trinity (1st atom bomb project), I want to be aware of its potential uses and misuses. As for To many companies ethics is spelled ethic$. Hopefully we as a group are not among them. I consider Declude admins to be as Declude, a cut above. Dan On Wednesday, February 26, 2003 16:20, Dan Patnode [EMAIL PROTECTED] wrote: I realize this is two questions in one day, but its a slow list day, so: Rather than deleting spam, I forward it tagged or to a shared mailbox, clients choice. I just found out that within a week of starting my my anti spam service (delivery choice 2), a company fired an employee for receiving tons of porn via email. They also have web monitoring in place so this was the last piece to their puzzle, but... How does everyone feel about our role playing Big Brother against employees? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] A Question of Ethics
Below is an overview of what I believe is most relevant to me (in reverse chronological order), thank you for helping me clarify a troubling situation!: I believe the fact that some employers may misuse information to mistreat employees is countered by the fact that some employees abuse the trust employers place in them. Your goal should be to be discerning who you choose to associate with so that you are not worrying about whether a tool created for good is turned to evil. -Bill Virtually every Internet related application is designed to manage or regulate the distribution or reception of data in some way. Tools that log activity are absolutely necessary. Tools that are intentionally designed to invade a users privacy are quite another thing entirely. -Brian A firewall log is a neutral record of general Internet activity. Any reasonably informed adult who uses the Internet should understand their actions may be logged, in the same way they understand a policeman might be watching them when they drive their car down a road. Certain parts of our daily activities are observed; that's a facet of urban life. What matters is whether the prior intent of the observation is hostile. -Keith In fact the company [without an Internet use policy] could loose twice. Once by someone who was offended by a fellow employees use of porn at the workplace and second by a wrongful termination suit by the offender. Many companies just added the Internet and email to the system without considering the consequences. Time to examine the company policies. -David any action or change on our part to manipulate the information presented to the client would be unethical in itself. -John If, however, you feel that, acting as a spam expert, you did not adequately represent the extremely high likelihood that pornographic e-mail is unsolicited, or, even worse, gave the reverse impression (i.e., that your filtering service--impossibly!--only allows through porn that was desired by the end user, deleting everything else on arrival), you should try to remedy this misunderstanding immediately. -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] D T Files
Messages coming into the server show up in file pairs, one starting with D and other starting with T. When the file has completely arrived, the T file turns into a Q files and the message gets delivered (somewhere in the middle, Declude works its magic). As I add more and more domains, I'm starting to notice more and more orphans. According to the Imail web site, these indicate a message was not completely uploaded. I've seen enough to corroborate this information, but this leads to a question: What do I do with all the orphans? Most are not spam, many have attachments, and the sender may or may not send another copy. I'm new to Imail, what do other email servers do when the rest of the message doesn't make it? What do etiquette (and liability) concerns dictate? Thanks Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] D T Files
Scott, They are nearly always is pairs: D48b89c5e1280b6c3 T48b89c5e1280b6c3 Is there an Imail setting I should check, that controls T files being deleted. I went in today and found file pairs as old as two days. Double bounces show up as file pairs with shorter names ending in .GSE. These are always spam and, and while also not self deleting, don't bother me. Thanks Dan On Wednesday, February 26, 2003 15:07, R. Scott Perry [EMAIL PROTECTED] wrote: Messages coming into the server show up in file pairs, one starting with D and other starting with T. When the file has completely arrived, the T file turns into a Q files and the message gets delivered (somewhere in the middle, Declude works its magic). As I add more and more domains, I'm starting to notice more and more orphans. According to the Imail web site, these indicate a message was not completely uploaded. Orphan D files or orphan T files? Orphaned T files should be quite rare (as IMail should delete them if the SMTP transaction never completes). Orphaned D files will occur occasionally as double bounces (for example, I send out an E-mail but have the wrong return address; the E-mail bounces, but IMail can't bounce the E-mail because of the invalid return address). What do I do with all the orphans? Most are not spam, many have attachments, and the sender may or may not send another copy. If they are D*.SMD files, they should be E-mails that couldn't be delivered for some reason. If they are T*.SMD files, something went wrong -- in this case, the computer that connected to IMail should have received an error response of some sort, and they should either re-try or receive a bounce message. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] A Question of Ethics
I realize this is two questions in one day, but its a slow list day, so: Rather than deleting spam, I forward it tagged or to a shared mailbox, clients choice. I just found out that within a week of starting my my anti spam service (delivery choice 2), a company fired an employee for receiving tons of porn via email. They also have web monitoring in place so this was the last piece to their puzzle, but... How does everyone feel about our role playing Big Brother against employees? Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Not caught by all lines
This is one of the reasons I build most of my filters in Excel. I drag down all particulars (like CONTAINS) from the cells above and it instantly and accurately fills, without typing. Drag drop the offending phrase from the spam and its a spot on match every time. Not that I don't make errors in OTHER places... Dan On Tuesday, February 25, 2003 12:59, John Tolmachoff [EMAIL PROTECTED] wrote: Look at the BODY 20 CONTIANS... line above with the new glasses. What's that rule again? I before A, except after T? Hanging head in shame John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BASE64? PLEASE...
Interestingly, I've found that not having a way to block email so encoded has forced me to focus on non message body based triggers for my tests, resulting in tests that are more robust all around. I will of course, embrace everything that makes such encoding transparent, but I'm actually glad at having had to work around it thus far. Dan On Monday, February 17, 2003 6:49, Kami Razvan [EMAIL PROTECTED] wrote: Message Scott: You once said you are thinking of adding Base64 parsing capability to Declude. Has that moved in the priorities? Adding this to Declude would truly make it a perfect spam killing machine... not having it with the ever more usage of it is causing more spams to come through. With Base64 our filters are useless. PLEAS... I can add more E's if it would help! :) Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Reject Msg based on Size
My dial up users all use there client level don't download larger than option. If a message is larger than say 300k, a flag comes through instead that gives the user the option to download the actual message (including when) or they can delete without download. Seems to be that implimenting this server wide is over kill. The only pattern I've seen is with virii being between 50 and 100k. This would have many of same FP issues as time of day or day of the week. Legitimate users can and do send legitimate email at 3am on Sunday and they can have 20 meg attachments. Dan On Monday, February 3, 2003 5:46, Roger Heath [EMAIL PROTECTED] wrote: Reply to: R. Scott Perry Re: [Declude.JunkMail] Reject Msg based on Size on Monday 7:12:40 AM He has a dialup modem and wants to limit per message size.. It would save processor, if a partial message was returned to each the sender and the original message if not delivered might save 1/2 bandwidth.. -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com - Copy of Original Message(s): - Scott, I just had an MIT engineer/user suggest a feature to reject messages based on their size. I found this fascinating personally. You could look at the size and bounce, e.g. SIZE 10MB BOUNCE Might be a server saver also... especially if it bounced a partial response smaller message. R It is an interesting idea. R One problem, though, is that it wouldn't save any bandwidth (as the E-mail R would have to be received before bouncing it). Is this something that R others might find useful? R -Scott R --- R [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] R --- R This E-mail came from the Declude.JunkMail mailing list. To R unsubscribe, just send an E-mail to [EMAIL PROTECTED], and R type unsubscribe Declude.JunkMail. The archives can be found R at http://www.mail-archive.com. R -- R ActivatorMail(tm) ver.122102 Scanned for all viruses by R www.activatormail.com intelligent anti-virus anti-spam service -- ActivatorMail(tm) ver.122102 Scanned for all viruses by www.activatormail.com intelligent anti-virus anti-spam service --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spam Conference 2003 [MIT] Follow-up
They seem a little to preoccupied with content filters (IMHO), but here are the links to this months presentations: http://spamconference.org/proceedings2003.html video: http://spamconference.org/webcast.html photos: (wonder if any of these guys are Scott?) http://impressive.net/people/gerald/2003/01/17/spamconf.html Of interest is this view of the latest anti filter spammer technique, slice dice: http://impressive.net/people/gerald/2003/01/17/10-08-27-med.html Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interbusiness
I tried that FTP file last year, with rather limited success and considerable frustration. I may try again this year. With one exception (optinmail.cc, /18), IP ranges larger than /23 are always soft tests, only ever catching in connection with other tests. I give Interbusiness IPs the same treatment as many US based broadband and dialup IPs. Its just allot easier to ask ARIN for all the IPs used by Verizon DSL, for example. I was just hoping someone had been tracking them differently or better than I. Thanks Dan If you're going to be doing this often, you might want to try going to ftp://ftp.ripe.net/ripe/dbase/split , and checking out the data files there. It can be some work to process (they are large, gzipped, and in Unix format), but should have the data you need. ripe.db.domain (50MB uncompressed) has the reverse DNS delegations, which should work for an organization like Interbusiness that has huge numbers of IPs. -Scott Interbusiness is the biggest Italian Backbone- and Internet Service Provider. On their network are connected a lot of smaller ISPs (using their IP-Ranges) and clients. The source of spam should be their xDSL-Network. You should know that you doesn't block only spam but also a lot of legitimate e-mail. Is the spam you recieve from this ip-range in english? We recieve here also a lot of spam from this ip's but all recipient domains are .it-domains and all the content is in Italian language. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Patnode Sent: Wednesday, January 29, 2003 3:46 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Interbusiness Every time I turn around these guys are hosting spam from a new/unknown range but RIPE doesn't seem to have the cool name lookup that ARIN has. Does anyone have CIDRs/IPs for Interbusiness - other than these?: 194.243.0.0/16 195.223.0.0/16 195.31.0.0/16 212.131.0.0/16 212.210.0.0/16 213.26.0.0/16 213.82.0.0/16 217.141.0.0/16 217.223.0.0/16 217.56.0.0/14 62.110.0.0/16 62.211.0.0/16 80.105.0.0/16 80.16.0.0/15 80.18.0.0/15 80.207.0.0/16 81.115.0.0/16 81.73.0.0/16 Thanks Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Interbusiness
Every time I turn around these guys are hosting spam from a new/unknown range but RIPE doesn't seem to have the cool name lookup that ARIN has. Does anyone have CIDRs/IPs for Interbusiness - other than these?: 194.243.0.0/16 195.223.0.0/16 195.31.0.0/16 212.131.0.0/16 212.210.0.0/16 213.26.0.0/16 213.82.0.0/16 217.141.0.0/16 217.223.0.0/16 217.56.0.0/14 62.110.0.0/16 62.211.0.0/16 80.105.0.0/16 80.16.0.0/15 80.18.0.0/15 80.207.0.0/16 81.115.0.0/16 81.73.0.0/16 Thanks Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ATT WorldNet: FP City
They actually used an RDNS blocker (as a hard test) last week, with predictable results: http://zdnet.com.com/2100-1105-982118.html The irony, of course, is how much spam comes FROM WorldNet IPs. Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IP Range to CIDR Conversion
Rick, Scott has a tool specifically for this: http://www.dnsstuff.com/tools/cidr.ch?ip= Put in one of the IPs of the range at the end http://www.dnsstuff.com/tools/cidr.ch?ip= 61.128.0.0 and look at the output. Choose the range in the 2nd and 3rd columns that best matches what you want (evidence of the spammers range), then grab the CIDR from the left. My only issue is that with the CIDRs on the far left most end of the HTML page, it gets copied out as cr61.128.0.0/28 so when I copy and paste them I have to manually delete the return. Dan On Sunday, January 26, 2003 6:16, Rick Rountree [EMAIL PROTECTED] wrote: Scott (or anyone else who may know), I'm trying to convert my list of banned IPs from MailShield format for use in JunkMail. MailShield uses a text file with single IPs and IP ranges like this: 61.128.0.0-61.159.255.255 62.4.16.95 I want to convert these to JunkMail format like this: 61.128.0.0/11 62.4.16.95/32 I've used the CIDR/Netmask lookup on dnsstuff.com, but that's slow and tedious. I'm looking for a tool which I can either: 1) paste in the range, i.e., 61.128.0.0-61.159.255.255 and get the CIDR bit output (good) or 2) If anyone has a JunkMail style file to share which includes all of China's, Korea's, )and other Asian countries that are prone to open relays) assigned IPs (better) or 3) Read in my MailShield file and spit out a JunkMail style file. (best) I've also tried several IP convertors I found while Googling but none seem to take an IP range in this form (61.128.0.0-61.159.255.255) as valid input. So...which one of you folks already know how this can be done so I can stop beating my head up against the wall! g Best regards, Rick Rountree Dundee.Net Go Raiders! --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude in PCMag
As a Mac user (prone to nagging developers), I resemble that remark!;) On Friday, January 24, 2003 14:05, Brian Milburn [EMAIL PROTECTED] wrote: Nah, we've been in there a bunch of times and all you get is calls from people wanting to know if you have a Mac version! Just kidding, congratulations Scott! Brian On 01/24/03 3:52pm you wrote... Congratulations, Scott. Declude is mentioned in PCMag, latest February 25th Issue, page 95. Sniffer is also in the same listing. Suppose we'll see price increases now. big grin -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com -- ActivatorMail(tm) ver.122102 Scanned for all viruses by www.activatormail.com intelligent anti-virus anti-spam service --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ve.com. --- [This E-mail scanned for viruses by Solid Oak Software] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.