Re: [Declude.JunkMail] too funny

2006-04-19 Thread Mike K @ NetDotCom 

This is the best part,

Registration is via a confidential money transfer.

Send your bank's name, account number, your name, address, telephone number, 
and fax numbers. Please note again that this transaction is strictly 
confidential and as such should be kept secret. Be rest assured that this 
transaction is 100% risk free.


Mike



- Original Message - 
From: "Kevin" <[EMAIL PROTECTED]>

To: 
Sent: Monday, April 17, 2006 4:14 PM
Subject: [Declude.JunkMail] too funny



Saw this in a security newsletter:

http://j-walk.com/other/conf/index.htm
Nigerian Email Conference

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.4.4/318 - Release Date: 4/18/2006




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Decludeproc abend

2005-12-22 Thread Mike K @ NetDotCom 



Actually it was Novell that intro'd this word to 
the PC server world, Microsoft just intro'd it to the masses:-)
 
Mike
 

  - Original Message - 
  From: 
  Nick 
  Hayer 
  To: Declude.JunkMail@declude.com 
  
  Sent: Wednesday, December 21, 2005 
  16:51
  Subject: Re: [Declude.JunkMail] 
  Decludeproc abend
  John T (Lists) wrote: 
  




Is abend some 
kind of French word?AbnormalEnding. - 
  circa 1985 - coined with the introduction of Microsoft 
  products.-Nicko
  

 
;)
 

John 
T
eServices For 
You
 

-Original 
Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Goran 
JovanovicSent: 
Wednesday, December 21, 
2005 1:13 
PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Decludeproc 
abend
 
I have had 
decludeproc 3.0.5.22 abend on me twice today. Is there anything I should be 
doing to capture information about this? I have automatic restart enabled so 
it starts again but I am not super happy with it abending.
 
Any hints on what 
(if anything) I can/should be doing?
 

Goran 
Jovanovic
Omega 
Network Solutions
  
  

  No virus found in this incoming message.Checked by AVG Free 
  Edition.Version: 7.1.371 / Virus Database: 267.14.3/209 - Release Date: 
  12/21/2005

Re: [Declude.JunkMail] does anyone punish email from these folks?

2005-12-20 Thread Mike K @ NetDotCom 



We outright reject all their mail.
 
We started by just holding and found lots of 
'suspicious' activity like identical emails with different "from" domains, etc. 
Normal spam type stuff CC offers, grant money, etc.
 
The we started blocked one /24, then they switched 
to other subnets so we blocked their entire IP space.
 
No complaints from users.
 
Mike
 

  - Original Message - 
  From: 
  Nick 
  Hayer 
  To: Declude.JunkMail@declude.com 
  
  Sent: Tuesday, December 20, 2005 
  10:36
  Subject: [Declude.JunkMail] does anyone 
  punish email from these folks?
  I sure do get allot of spam from this ip space - are they legit 
  and are lacking in their monitoring or ?Thanks --NickOrgName:WholeSale Internet 
OrgID:  WHOLE-125
Address:1102 Grand Ave Suite 905
City:   Kansas City
StateProv:  MO
PostalCode: 64106
Country:US

NetRange:   69.30.192.0 - 69.30.239.255 
CIDR:   69.30.192.0/19, 69.30.224.0/20 
NetName:WHOLESALEINTERNET
  
  

  No virus found in this incoming message.Checked by AVG Free 
  Edition.Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 
  12/16/2005

Re: Re[4]: [Declude.JunkMail] domain name a name

2005-02-11 Thread Mike K @ NetDotCom 
Postfix with postgrey does exactly this.
Delays 5 minutes and maintains a db of subnet, sender & recipient combo.
Mike
- Original Message - 
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: 
Sent: Friday, February 11, 2005 13:56
Subject: RE: Re[4]: [Declude.JunkMail] domain name a name

I meant to also add that I recently had many hours of planned downtime
on my MTA in my absolute lowest ham window - late Saturday evening
through early Sunday morning.  I saw very little spam increase once the
MTA was back up.
This tells me that the spammers have not yet implemented full MTAs that
retry their queued spam.  An MTA that tells them to try again later
(greylisting) would work well for me.
If greylisting that was configurable by hours was available to me, I
might turn it off during business hours for maximum "safety".  I would
also want a feature to gather addresses/domains/IPs from my outbound
mail to create an autowhitelist*.
Andrew 8)
* http://eservicesforyou.com/ John Tolmachoff, do you still sell
AutoWhite?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Friday, February 11, 2005 6:49 AM
To: Darin Cox
Subject: Re[4]: [Declude.JunkMail] domain name a name
On Friday, February 11, 2005, 9:28:28 AM, Darin wrote:
DC> Hi Pete,
DC> Right... but the first few typically slip through before they're
DC> added to your filters (like they would for anyone)...so we add them
DC> on the first report to us as well.
I'll raise the feature request again --- as soon as I get my flameproof
suit on:
Declude should have a test/feature to delay a message by x hours if the
sender is not recognized. This gives all filtering mechanisms time to
adapt to new spam sources. Once the delay time has expired the message
is passed through as if it were new so that the presumably updated BLs,
filters, etc will have the ability to filter the message (if needed).
To revive and put to rest past arguments about this:
Big reason not to do this: It is unforgivable and in all other ways a
bad idea to delay any message by any amount of time and huge amounts of
money or even lives may be lost if this happens.
To which I contend...
If this is the first time you have ever received a message from a
particular source then there is no expectation yet for the time to
delivery and email systems in general may impose end-to-end delays of
between minutes to hours depending upon many unknown factors at any time
(queues, down servers, down connectivity, graylisting (force retry at
first connect)).
Since only _new_ connections would be effected, this feature would go
almost un-noticed in the vast majority of cases. All other email
sources, where there is an expectation, would be passed at full speed
with normal filtering.
Also, IF you happen to be in a position where you really can't afford to
impose any delays on new messages then: A) You probably aren't filtering
anyway since that would be dangerous [ a conflict in policy ] and B) You
_can_ turn it off ;-)
Those are my thoughts on that ( once again ).
_M
/M retreats to underground bunker & activates shields at full power.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] domain name a name

2005-02-11 Thread Mike K @ NetDotCom 
Perhaps a test that looks at the date of registration so new domains could 
be weighted higher.

Mike
- Original Message - 
From: "Nick" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, February 09, 2005 12:25
Subject: Re: [Declude.JunkMail] domain name a name


I am seeing more and more I guess one would call throw-away domains
like:
.hdcnsowp.com
.hcnmvkofut.com
.eisopfkcnjt.com
.edhcbxgsyi.com
These are generally in the body of an email; is there a way to
determine if a domain is in readable format? I would not fail an
email over this but it would be nice to punish the email at least to
some degree -
-Nick

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ed10.com - E-Dialog

2004-12-10 Thread Mike K @ NetDotCom 
Ok here
Mike
- Original Message - 
From: "DLAnalyzer Support" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 10, 2004 10:29
Subject: [Declude.JunkMail] ed10.com - E-Dialog


Does anyone have any feedback on E-Dialog.com.  It appears their are 
several reputable companies using them (NFL, Reuters, etc).
Darrell


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Scam letter filter

2004-11-22 Thread Mike K @ NetDotCom 
Create a custom body filter that contains a list of the unique phrases, 
misspellings and names they use in the letters. Along with filters like 
Matt's at mailpure.com will catch most if not all of them.

There is a website that has a lot of the phrases also, do a Google for 4_1_9 
and N*i*g*e*r*i*a should turn up the address

Mike
- Original Message - 
From: "John Carter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 22, 2004 09:23
Subject: [Declude.JunkMail] Scam letter filter


I've been looking at the archives about the N*i*g*e*r*i*a*n letter filters
and saw a lot of discussion back in January, but couldn't tell what people
concluded would be the best filter for this.  Does anyone have anything to
share?  (Prefer a Declude only solution as I don't have SpamAssassin.)
Thanks,
John
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] weird random .htm attachments

2004-03-30 Thread Mike K 
yes

Mike

- Original Message - 
From: "Glenn Brooks" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 30, 2004 09:20
Subject: Re: [Declude.JunkMail] weird random .htm attachments


> so you do a body filter?
>
> At 09:00 AM 3/30/2004 -0500, you wrote:
> >I filter on this "+ String.fromCharCode("
> >
> >This is common in all of them. Combined with other tests it catches most.
> >
> >Mike
> >
> >
> >
> >- Original Message -
> >From: "Glenn Brooks" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Monday, March 29, 2004 20:02
> >Subject: RE: [Declude.JunkMail] weird random .htm attachments
> >
> >
> > > Has anyone set up a filter to catch thesewe get a lot of them...
> > >
> > > gb
> > >
> > >
> > > At 04:41 PM 3/29/2004 -0800, you wrote:
> > > >Yes, I have been seeing them too. They are java scripts that run.
> >Definitly
> > > >spam.
> > > >
> > > >John Tolmachoff
> > > >Engineer/Consultant/Owner
> > > >eServices For You
> > > >
> > > > > -Original Message-
> > > > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> > > > > [EMAIL PROTECTED] On Behalf Of Kevin
> > > > > Sent: Monday, March 29, 2004 4:37 PM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: [Declude.JunkMail] weird random .htm attachments
> > > > >
> > > > > Hi,
> > > > >
> > > > > Tried searching mail-archive.com for these but didn't turn up
> >anything.
> > > > >
> > > > > Subject: pass on the fun [random subjects]
> > > > > Body: This message has attach [random too]
> > > > > [random attachments but always ends in .htm]
> > > > >
> > > > > I didn't open it with IE but with a text editor.
> > > > >
> > > > > Starts with contractions = new
> >Array(162,
> > > > > [whole bunch of numbers]
> > > > >
> > > > > ends with
> > > > >
> > > > > charters = 907;
> > > > > beetle = 243;
> > > > > var equal = "";
> > > > > for(bowl = 0; bowl < charters; bowl++)
> > > > >equal = equal + String.fromCharCode(contractions[bowl] ^
> > > > > preferential[bowl % beetle]);
> > > > > document.write(equal);
> > > > > 
> > > > >
> > > > > Sniffer catches these under rule 62 (Experimental) but it's not
enough
> >to
> > > > > hold these.
> > > > >
> > > > > Any ideas? What does one see when they view this under IE?
> > > > >
> > > > >
> > > > > ---
> > > > > [This E-mail was scanned for viruses by Declude Virus
> > > >(http://www.declude.com)]
> > > > >
> > > > > ---
> > > > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > > > type "unsubscribe Declude.JunkMail".  The archives can be found
> > > > > at http://www.mail-archive.com.
> > > >
> > > >---
> > > >[This E-mail was scanned for viruses by Declude Virus
> > > >(http://www.declude.com)]
> > > >
> > > >---
> > > >This E-mail came from the Declude.JunkMail mailing list.  To
> > > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > >type "unsubscribe Declude.JunkMail".  The archives can be found
> > > >at http://www.mail-archive.com.
> > >
> > > Glenn Brooks
> > > WebWize, Inc.
> > > 713-688-4382
> > > http://www.webwize.com
> > >
> > >
> > > ---
> > > [This E-mail was scanned for viruses by Declude Virus
> >(http://www.declude.com)]
> > >
> > > ---
> > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.JunkMail".  The archives can be found
> > > at http://www.mail-archive.com.
> > >
> > >
> >
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
> >(http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.JunkMail mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail".  The archives can be found
> >at http://www.mail-archive.com.
>
> Glenn Brooks
> WebWize, Inc.
> 713-688-4382
> http://www.webwize.com
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] weird random .htm attachments

2004-03-30 Thread Mike K 
I filter on this "+ String.fromCharCode("

This is common in all of them. Combined with other tests it catches most.

Mike



- Original Message - 
From: "Glenn Brooks" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 29, 2004 20:02
Subject: RE: [Declude.JunkMail] weird random .htm attachments


> Has anyone set up a filter to catch thesewe get a lot of them...
>
> gb
>
>
> At 04:41 PM 3/29/2004 -0800, you wrote:
> >Yes, I have been seeing them too. They are java scripts that run.
Definitly
> >spam.
> >
> >John Tolmachoff
> >Engineer/Consultant/Owner
> >eServices For You
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> > > [EMAIL PROTECTED] On Behalf Of Kevin
> > > Sent: Monday, March 29, 2004 4:37 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: [Declude.JunkMail] weird random .htm attachments
> > >
> > > Hi,
> > >
> > > Tried searching mail-archive.com for these but didn't turn up
anything.
> > >
> > > Subject: pass on the fun [random subjects]
> > > Body: This message has attach [random too]
> > > [random attachments but always ends in .htm]
> > >
> > > I didn't open it with IE but with a text editor.
> > >
> > > Starts with contractions = new
Array(162,
> > > [whole bunch of numbers]
> > >
> > > ends with
> > >
> > > charters = 907;
> > > beetle = 243;
> > > var equal = "";
> > > for(bowl = 0; bowl < charters; bowl++)
> > >equal = equal + String.fromCharCode(contractions[bowl] ^
> > > preferential[bowl % beetle]);
> > > document.write(equal);
> > > 
> > >
> > > Sniffer catches these under rule 62 (Experimental) but it's not enough
to
> > > hold these.
> > >
> > > Any ideas? What does one see when they view this under IE?
> > >
> > >
> > > ---
> > > [This E-mail was scanned for viruses by Declude Virus
> >(http://www.declude.com)]
> > >
> > > ---
> > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.JunkMail".  The archives can be found
> > > at http://www.mail-archive.com.
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
> >(http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.JunkMail mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail".  The archives can be found
> >at http://www.mail-archive.com.
>
> Glenn Brooks
> WebWize, Inc.
> 713-688-4382
> http://www.webwize.com
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] MyDoom / Novarg

2004-01-28 Thread Mike K 
Search Google and you'll see that many others seem to think they're viri
only too.

And of the legit zips I examined on my system they don't have those
sequences.

Irregardless I block all executable attachments anyways at my mx. This was
strictly for the ones that are bypassing my mx records and sending directly
to my mailbox server.

Mike



- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 27, 2004 5:17 PM
Subject: Re: [Declude.JunkMail] MyDoom / Novarg


>
> >This string is in the beginning of first line of the body of infected
emails
> >all buts the zips
> >
> >T_V_q_Q_A_AME
> >
> >This is in the beginning of the first line of the .zips
> >
> >U_E_s_D_B_AoAA
> >
> >Both of these strings produce virus hits on Google
>
> IIRC, those are just the encoded beginnings of .exe and .ZIP files -- and
> could catch legitimate .exe and .zip files.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] MyDoom / Novarg

2004-01-27 Thread Mike K 
This string is in the beginning of first line of the body of infected emails
all buts the zips

T_V_q_Q_A_AME

This is in the beginning of the first line of the .zips

U_E_s_D_B_AoAA

Both of these strings produce virus hits on Google

NOTE: remove the underscores to get the actual string.

I put these in a separate body filter with a delete action. Every one held
today was a virus.

Mike


- Original Message - 
From: "Kevin Bilbee" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 27, 2004 4:01 PM
Subject: [Declude.JunkMail] MyDoom / Novarg


> I have been successful trapping most of these viruses with a body filter
> filtering on the
>
> Mail  transaction  failed.  Partial  message  is  available.
>
> and
>
> has  been  sent  as  a  binary  attachment
>
> I placed the extra spaces so they will not get caught by other filters on
> this list. I then use ROUTETO to send the messages to an account I monitor
> for false positives.
>
> Out of about 100 catches so far no false positives.
>
>
> Kevin Bilbee
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of Jim Priest
> > Sent: Tuesday, January 27, 2004 12:10 PM
> > To: Chuck Schick
> > Subject: Re[2]: [Declude.JunkMail] evaluating declude
> >
> >
> > Tuesday, January 27, 2004, 2:42:18 PM, Chuck wrote:
> > CS> Here are some of my general guidelines.
> > CS> 4. ) A few pieces of Spam are always going to get through
> > because spammers
> > CS> are always changing their methodology.  We are in a reactive mode.
> >
> > Chuck, thanks for all the info.  Been digging through some of the
> > archives and learning more.
> >
> > Another quick question - how many people use the 'hold' action - and
> > how do you manage any spam which gets held?  I've found some software
> > called 'Spam Review' which looks helpful.
> >
> > jim
> >
> >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Manual

2004-01-23 Thread Mike K 
Scott:

Your abilities as a writer are fine. I have seem many of your explanations
on use of features and for most I think they would suffice. They just need
to be put in the online manual at the same time you post a message to the
list.

I agree that beta features should not be in the main manual but could be
listed in a separate change.log file or in a beta/interim release file.

Mike

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 23, 2004 3:02 PM
Subject: Re: [Declude.JunkMail] Manual


>
> >I have not renewed my Junkmail SA due to the lack of an updated manual.
> >
> >If Scott would spend the same amount of time updating the manul as he
does
> >explaining to the list how features work, the manual would be current.
> >
> >Monitoring and researching list archives is fine for free or diy software
> >but for a paid product with stable features it's unacceptable.
>
> There seem to be two main issues with the manual.
>
> [1] It needs an overhaul by a technical writer.
> [2] It does not include all the features that are available in the latest
> beta, and
>
> #1 is something that has been an issue for some time.  We actually did
look
> for a technical writer a while back, but there was a snag that prevented
it
> from being completed.  We are definitely planning on addressing this.
>
> As far as #2 goes, unfortunately, if we add beta features to the manual,
> there are several problems.  First, customers are going to get frustrated
> that they cannot use features shown in the manual (which would cost us
more
> for support, too).  Second, we would have to make many changes to the
> manual as beta features are altered.  Third, I'm sure that if we were to
> add beta features to the manual, a lot of people would then expect them
for
> interim releases.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Manual

2004-01-23 Thread Mike K 
I have not renewed my Junkmail SA due to the lack of an updated manual.

If Scott would spend the same amount of time updating the manul as he does
explaining to the list how features work, the manual would be current.

Monitoring and researching list archives is fine for free or diy software
but for a paid product with stable features it's unacceptable.

Mike



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spammer network

2003-12-11 Thread Mike K 
For what its worth this is the info of a spam host that harvested one of my
emails from the whois database and will spam using different domain names to
get around unsubscribe requests.

Here's the current one:
Received: from Mailer3.gd-aol.com (52.gd-aol.com [66.63.163.52])

Here's one from a month ago:
Received: from mailer16.i-jst5.com (unknown [66.63.167.61])

The host is below.

OrgName:OC3 Networks & Web Solutions, LLC
OrgID:  ONWSL
Address:6279 Variel Ave
Address:Suite H
City:   Woodland Hills
StateProv:  CA
PostalCode: 91367
Country:US

NetRange:   66.63.160.0 - 66.63.175.255
CIDR:   66.63.160.0/20


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] wanadoo.fr

2003-12-11 Thread Mike K 
And a big source of spam from those dialup and dsl IPs

Mike

- Original Message -
From: "serge" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 10, 2003 10:19 PM
Subject: Re: [Declude.JunkMail] wanadoo.fr


> this this france telecom (french at&t) internet services
> largest isp in france, with dialup and dsl customers
>
>
> - Original Message -
> From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 10, 2003 5:17 PM
> Subject: [Declude.JunkMail] wanadoo.fr
>
>
> > Any one see legit coming from this domain? All I see are spam.
> >
> > John Tolmachoff
> > Engineer/Consultant/Owner
> > eServices For You
> >
> >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Character set/unicode testing?

2003-09-17 Thread Mike K 
Mark:

I get a fair amout of this also. Mine seems to come mostly from broadband
lines (rr, verizon, charter, comcast, attbi) so I ip block at the /24 level
(class c). Of course it's after the fact. But should block some future spam.

I also have a subject filter to add weight for non western char sets. Seems
to help catch some.

Mike

- Original Message -
From: "mark_smith" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 17, 2003 9:12 AM
Subject: [Declude.JunkMail] Character set/unicode testing?


> Sending this again.
> Any ideas?
>
> > Is there any way to filter based on character set, code page, etc?
> > I'm getting swamped with tons of Cyrillic spam lately and it's
> > passing my RBL's recently.
> >
> > I can't filter by code word or phrase and the MAILFROM field
> > is random.
> >
> > Any thoughts?
> >
> > Here's a sample
> >
> > -0-
> >
> > ETOpJa8Lj9twl9fIQ
> > Продам или сдам помещение (офис, мед. центр и.т.д.) м.
> > Красногвардейская. Ореховый бульвар, д.59, (7-10 мин.
> > пешком). 352,8 кв. м. 1-й этаж ж/д (нежилой фонд), 2 отд.
> > входа с улицы , большие окна, отдельный блок, рабочее
> > состояние, любое количество телефонов, ПА, удобный подъезд и
> > парковка. Можно делить помещение на 2 части.
> > Продажа 1100$ кв. м, возможна аренда: 200$ кв. м. /год (с торгом).
> > Татьяна Александровна: rcl506TD940837
> > TIGQEcqiUgIFpRrJ
> >
> Nf≈╠ф²Г╒╩╝К╠╪yиuЕ╝К╤зЪ
uГ╧в╒d┼аj)jg╝┴┘Юr[x⌡░ф√f√)√+N▀╡Фr╦z;╤гu╘≥╗╤┬j)╝Вr[yйjwй≈·к╠йmЮr[x⌡░ф∙8j╥┼Вq╘
yЗ²ж├шЪЭбf∙╙├+


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] How to config subjectchars test

2003-09-16 Thread Mike K 
Can specific characters be specified? If so how?

If not a feature request to look for a specified char and the count, just
like the subjectspaces test.

Could be useful for "U*n*i*v*e*r*s*i*t*y d*i*p*l*o*m*a"

Mike


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OBFUSCATION filter

2003-09-16 Thread Mike K 
Sorry, just noticed, this was in the "subject".

Mike

- Original Message -----
From: "Mike K" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 16, 2003 3:32 PM
Subject: Re: [Declude.JunkMail] OBFUSCATION filter


> May want to account for foreign languages also. I just received this spam
> while I was adding your URL obfuscation filter.
>
> Недорогие
> звонки
> зарубеж!
>
> Mike
>
>
> - Original Message -
> From: "Matthew Bramble" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, September 15, 2003 12:40 PM
> Subject: Re: [Declude.JunkMail] OBFUSCATION filter
>
>
> > Pete,
> >
> > It's not redundant because the two by themselves only check for strings
> > of two, while the combination checks for strings with one of each in
> > succession.  This way, if they go back and forth between the two, it
> > will get caught as long as there is a "." or "@" between them, or as
> > long as it is URL encoding followed by HTML encoding.  I left out the
> > other way around because it was only a two character string, ";%" and
> > wanted to protect from FP's.
> >
> > I do appreciate the feedback though...I do of course make mistakes.
> >
> > Matt
> >
> > Pete McNeil wrote:
> >
> > > Matt,
> > >
> > > It appears that your coding for a combination of http & url encoding
> > > in urls is redundant since you capture both types individually. It's a
> > > small optimization, but worth mentioning.
> > >
> > > _M
> > >
> > > At 07:46 PM 9/14/2003 -0400, you wrote:
> > >
> > >> I've posted a newer version of the OBFUSCATION filter on my site.
> > >> This contains the removal of the attachment thing and also the
> > >> removal of 6 (of over 100) tests in order to be more forgiving, sans
> > >> the PayPal issue.
> > >>
> > >>
> http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003c.txt
> > >>
> > >>
> > >> If you find any false positives with this besides the Ticketmaster
> > >> one that I've already counterbalanced, please let me know.  I would
> > >> imagine that posting to this group would be better than PM's unless
> > >> others mind having discussion here.  That way everyone would know
> > >> about any issues ASAP.
> > >>
> > >> Thanks,
> > >>
> > >> Matt
> > >>
> > >> ---
> > >> [This E-mail was scanned for viruses by Declude Virus
> > >> (http://www.declude.com)]
> > >>
> > >> ---
> > >> This E-mail came from the Declude.JunkMail mailing list.  To
> > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > >> type "unsubscribe Declude.JunkMail".  The archives can be found
> > >> at http://www.mail-archive.com.
> > >
> > >
> > > ---
> > > [This E-mail was scanned for viruses by Declude Virus
> > > (http://www.declude.com)]
> > >
> > > ---
> > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.JunkMail".  The archives can be found
> > > at http://www.mail-archive.com.
> >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> >
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OBFUSCATION filter

2003-09-16 Thread Mike K 
May want to account for foreign languages also. I just received this spam
while I was adding your URL obfuscation filter.

Недорогие
звонки
зарубеж!

Mike


- Original Message -
From: "Matthew Bramble" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 15, 2003 12:40 PM
Subject: Re: [Declude.JunkMail] OBFUSCATION filter


> Pete,
>
> It's not redundant because the two by themselves only check for strings
> of two, while the combination checks for strings with one of each in
> succession.  This way, if they go back and forth between the two, it
> will get caught as long as there is a "." or "@" between them, or as
> long as it is URL encoding followed by HTML encoding.  I left out the
> other way around because it was only a two character string, ";%" and
> wanted to protect from FP's.
>
> I do appreciate the feedback though...I do of course make mistakes.
>
> Matt
>
> Pete McNeil wrote:
>
> > Matt,
> >
> > It appears that your coding for a combination of http & url encoding
> > in urls is redundant since you capture both types individually. It's a
> > small optimization, but worth mentioning.
> >
> > _M
> >
> > At 07:46 PM 9/14/2003 -0400, you wrote:
> >
> >> I've posted a newer version of the OBFUSCATION filter on my site.
> >> This contains the removal of the attachment thing and also the
> >> removal of 6 (of over 100) tests in order to be more forgiving, sans
> >> the PayPal issue.
> >>
> >>
http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003c.txt
> >>
> >>
> >> If you find any false positives with this besides the Ticketmaster
> >> one that I've already counterbalanced, please let me know.  I would
> >> imagine that posting to this group would be better than PM's unless
> >> others mind having discussion here.  That way everyone would know
> >> about any issues ASAP.
> >>
> >> Thanks,
> >>
> >> Matt
> >>
> >> ---
> >> [This E-mail was scanned for viruses by Declude Virus
> >> (http://www.declude.com)]
> >>
> >> ---
> >> This E-mail came from the Declude.JunkMail mailing list.  To
> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >> type "unsubscribe Declude.JunkMail".  The archives can be found
> >> at http://www.mail-archive.com.
> >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] JM held mail viewer

2003-09-16 Thread Mike K 
Perfect, Thank you.

Mike

- Original Message -
From: "Bill Landry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 16, 2003 10:11 AM
Subject: Re: [Declude.JunkMail] JM held mail viewer


> Yes, there is a neat little decode app from Funduc Software that supports
> decoding of several encoding types, and it integrates nicely into the
> Windows Explorer right-click feature (so if you right-click on a file, one
> of your options is "Decode").  You can find it at www.funduc.com under the
> "Free Stuff" section (which makes it even better).
>
> Bill
> - Original Message -
> From: "Mike K" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 16, 2003 7:00 AM
> Subject: [Declude.JunkMail] JM held mail viewer
>
>
> > Is there a util that allows viewing/decoding of base64 encoded D*.SMD
> spool
> > files thats been held by JM?
> >
> > Mike
> >
> >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] JM held mail viewer

2003-09-16 Thread Mike K 
Is there a util that allows viewing/decoding of base64 encoded D*.SMD spool
files thats been held by JM?

Mike



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] URL's in Body as IP4r type..

2003-07-11 Thread Mike K 
Title: Message



I've been blocking based on content for a few 
years.
 
The open relays/proxies/hacked servers/spam 
friendly networks just keep moving ips. Much more logical but resurce intensive 
to block on content.
 
The message is the real problem not the 
messenger.
 
And it is much more difficult to hide the url/email 
address using junk embedded comments. 
 
Mike

  - Original Message - 
  From: 
  Kami 
  Razvan 
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, July 11, 2003 9:05 AM
  Subject: [Declude.JunkMail] URL's in Body 
  as IP4r type..
  
  Hi;
   
  I am just 
  brainstorming.. Pro.. con?
   
  We know one 
  thing about spam.. someone is trying to sell something.. so in every spam 
  there has to be a way for the spammer to be contacted 
  through:
   
  1:  Web 
  site visit (URL or IP), 
  2:  
  email
  3:  Phone 
  number
   
  In general I 
  have seen no more than one or two of the above unique entries in a single 
  spam.
   
  In the absence 
  of a point of contact there is no point in the broadcasted mass 
  mail.
   
  Of course the 
  above is the obvious ..
   
  While all IP4r 
  tests concentrate on finding the point of origin of the email what if we try 
  to block the email content?
   
  So what 
  if..
   
  1: An added 
  program be written as an add-on to Declude that extracts the unique emails, 
  URL's, IP's or phone numbers from the body of the email.
   
  2:  Sends 
  these numbers as query to a server much like the IP4r tests for 
  response.
   
  Would this not 
  work?
   
  I know with our 
  filter tests we have pretty much blocked all spam.  In the last month I 
  have had one spam that came through and the rest are all blocked.  So if 
  we are to expand on this the logical step, in my opinion, is to have a 
  centralized check point for all the entries we have.
   
  We can 
  brainstorm about this and bring out bad, good, what if's, .. may be 
  collectively we can solve this problem.
   
  Bad 
  idea!?
   
  Regards,
  Kami
   

Re: [Declude.JunkMail] Idea for a test...

2003-02-24 Thread Mike K 
Scott:

You may just want to build support for unix style regular expressions.

Complicated, but they can do this and much more.

Note: Len's IMGate solution can do this also but with half the cpu
horsepower that NT/2K require. I use IMGATE as a front end to IMAIL/Declude
do exactly this.

Expression matching does get cpu intensive if you don't limit it to say the
first 5K bytes (scanning a 5 meg attachment for ex.) or so and make sure it
runs after less resource intensive tests (rbls).

Mike

- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 24, 2003 10:36 AM
Subject: Re: [Declude.JunkMail] Idea for a test...


>
> >As we all know the spammers insert special characters in the middle of
> >subject words to bypass the filters, e.g. P/O/R/N, or all sort of other
> >variations.
> >
> >Can a test we devised, similar to the COMMENT test that counts the number
> >of special characters or detect similar characters appearing in the
middle
> >of words.
> >
> >I guess one way to approach this is to first count if there are more than
> >1 or 2 special characters and if yes then determine if they are followed
> >by text.
> >
> >This could be a weight test.
>
> This does sound like a good idea.  Our spamtraps don't seem to get much
> spam like that, but a test looking for non-alphanumeric characters that
are
> surrounded by alphanumeric characters might make some sense (which would
> catch "P/O/R/N").
> -Scott
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Opinion on bulk mailers

2003-01-14 Thread Mike K 
What is everyone's opinion on bulk mailers like flowgo, gossipflash,
valoffers, quill? The joke lists, cell phone offers, travel offers, software
offers, etc.

The old saying one mans trash is anothers treasure comes to mind. While I as
an isp admin think it's trash, and optin is the only true legit method, a
user might want this stuff. Most if not all are listed on the RBLs. And has
anyone successfully unsubscribed from their lists?

Topica is a good example, at first they appeared to be spammers then they
seemed to have cleaned up theit act. I even see some of their e-mails come
through with the Habeas signature embedded. However some of the emails seem
of questionable content.

Mike


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spoofed IP's

2003-01-10 Thread Mike K 
Spamcop will send notices based on IP and domain name. I had several notices
because of a "joe job" using our domain name with a forged return email
address.

If it's a legit Spamcop notice then just reply as appropriate. Usually these
complaints originate from clueless aol users. They look at the forged "From"
address and send a complaint.

Mike

- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 09, 2003 9:37 PM
Subject: Re: [Declude.JunkMail] Spoofed IP's


>
> >We have a problem, where SpamCop or someone, will contact us claiming
they
> >have received spam from our IP range. I investigate only to find out what
I
> >expected, there is no server, client, or anything on that subnet. Infact
we
> >haven't allocated that subnet yet, it sits unused.
>
> You may want to check out http://spamcop.net/fom-serve/cache/338.html ,
> which shows a sample "real" report from SpamCop -- there was a spammer
that
> was sending out lots of fake SpamCop notices a while back, he may have
> started up again.
>
> >My immediate suspicion is that the address is spoofed. We have bogon
filters
> >on the edge of our network, so I am 99.9% sure that these are spoofed
> >addresses.
> >
> >Do any of you experience this too? Any suggestions? I get about 2 or 3
> >claims a week and it's just bothersome.
>
> My guess would be either that it was a spoofed report (not from SpamCop),
> or that it isn't related to your IP (for example, I've heard that SpamCop
> will report web sites that are listed in spam).
>
> IP spoofing is usually very, very difficult to do -- doable by a
> knowledgeable hacker with the right compromised servers, nearly impossible
> for a script kiddie, and probably impossible for any spammer.  It is next
> to impossible to do with a Windows computer, and Windows computers are
what
> spammers and script kiddies tend to have for compromised servers.  Even if
> a spammer knew how to do it, the drawbacks of doing so would likely well
> outweigh the benefits.
>  -Scott
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Recommendation on RBLs

2002-12-26 Thread Mike K 
In everybody's opinion, what RBLs have to lowest rate (possibly zero) of
false positives?

I use Junkmail and IMGate and want to block the real obvious junk (at
IMGate) while giving my users more control options on the "grey" stuff.

Mike


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] IPBYPASS

2002-12-23 Thread Mike K 
Is it possible to use CIDR in IPBYPASS

Ex: 192.168.0/24

Mike


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] ??? on RBLs

2002-12-17 Thread Mike K 
While I know this is usually based on personal preference, and highly
subjective, but what do others find as the most reliable RBLs but with the
minimum of false positives?

Mike




---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] filter question

2002-11-21 Thread Mike K 
Can Junkmail pro filters (for msg body) use wildcards? Is there a reference?

I want to create a filter (to hold) msgs that have embedded urls with IP
addresses in them.

I can do this is my IMGate machine but want to see what I catch first.

Mike


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Wordfilter bypassed

2002-11-20 Thread Mike K 
A spam I received yesterday had these comments in it also.

However one thing I noticed was that the spam had a url that started off
with the standard http then was followed by
PercentHexHexPercentHexHexPercentHexHexPercentHexHexPercentHexHex and so on.

This should be very easy to filter on as no legit mailer should be hiding
urls like that.

Mike






- Original Message -
From: "Madscientist" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 19, 2002 8:47 PM
Subject: RE: [Declude.JunkMail] Wordfilter bypassed


> |
> | However, that's the way spam control is heading.  As more and
> | more people
> | get fed up with spam, more and more of the bozos that are
> | doing things the
> | wrong way will need to fix their problems.
> |
> | I can understand an HTML E-mail having one or two comments in
> | it, but 10 or
> | 20 is just a waste of bandwidth.  That is information the
> | recipient will
> | never see.
> |
> | -Scott
>
> Where we got into trouble was with big corporate iron... (IBM, Sun,
> Microsoft, etc...) The comments in those messages were part of the code
> base generating the messages and I can imagine (as a web developer also)
> that they are pretty vital to the developers in their ongoing
> maintenance efforts. It's not uncommon to see quite a few of them. As we
> increased the threshold to accommodate the legitimate messages we were
> capturing we soon reached a level where legitimate and non-legitimate
> were practically indistinguishable. All I'm saying here is that since
> HTML email is here to stay, and HTML comments are legitimate and
> sometimes required for coding standards, a simple count of HTML comments
> will not be a valid spam test in most cases. This has been our
> experience - your mileage may/will vary.
>
> _M
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] filtering for comments in HTML email

2002-11-19 Thread Mike K 
The recent thread on the spam html e-mails that have comments scattered
throughout the words.

I just had one of these spams sent to me.

Filter on the hyperlink thats embedded within.

The spam sent to me had a url like this
http://%4C%50%4D%43%34%4F%73%56%78%

You can filter on this as NO legit mailer should be creating urls like this.

Mike


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Why did this get nabbed by my pornfilter?

2002-11-15 Thread Mike K 
Had a similar occurance on filtering for theose stupid spam penny stock tips
that always contain "O*T*C"

Found out that attachments sometimes morphed to contain that string.

Lesson learned, be more specific.

Mike

- Original Message -
From: "Sharyn Schmidt" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, November 15, 2002 8:15 AM
Subject: RE: [Declude.JunkMail] Why did this get nabbed by my pornfilter?


> Statistically it should not happen often,
> but it can happen occasionally.  The longer the string you search on,
> the
> less likely it will happen.
> -Scott
>
>
>
> Thanks, Scott. This is the very first time something like this has
> happened so I'm not going to worry about it. Just making sure I didn't
> miss something obvious :)
>
> Sharyn
>
>
> We are the worldwide producer and marketer of the award winning Cruzan
> Single Barrel Rum, judged "Best in the World" at the annual
> San Francisco Wine and Spirits Championships. For
> more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.