Re: [Declude.JunkMail] too funny
This is the best part, Registration is via a confidential money transfer. Send your bank's name, account number, your name, address, telephone number, and fax numbers. Please note again that this transaction is strictly confidential and as such should be kept secret. Be rest assured that this transaction is 100% risk free. Mike - Original Message - From: "Kevin" <[EMAIL PROTECTED]> To: Sent: Monday, April 17, 2006 4:14 PM Subject: [Declude.JunkMail] too funny Saw this in a security newsletter: http://j-walk.com/other/conf/index.htm Nigerian Email Conference --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.4.4/318 - Release Date: 4/18/2006 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Decludeproc abend
Actually it was Novell that intro'd this word to the PC server world, Microsoft just intro'd it to the masses:-) Mike - Original Message - From: Nick Hayer To: Declude.JunkMail@declude.com Sent: Wednesday, December 21, 2005 16:51 Subject: Re: [Declude.JunkMail] Decludeproc abend John T (Lists) wrote: Is abend some kind of French word?AbnormalEnding. - circa 1985 - coined with the introduction of Microsoft products.-Nicko ;) John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Goran JovanovicSent: Wednesday, December 21, 2005 1:13 PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Decludeproc abend I have had decludeproc 3.0.5.22 abend on me twice today. Is there anything I should be doing to capture information about this? I have automatic restart enabled so it starts again but I am not super happy with it abending. Any hints on what (if anything) I can/should be doing? Goran Jovanovic Omega Network Solutions No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.371 / Virus Database: 267.14.3/209 - Release Date: 12/21/2005
Re: [Declude.JunkMail] does anyone punish email from these folks?
We outright reject all their mail. We started by just holding and found lots of 'suspicious' activity like identical emails with different "from" domains, etc. Normal spam type stuff CC offers, grant money, etc. The we started blocked one /24, then they switched to other subnets so we blocked their entire IP space. No complaints from users. Mike - Original Message - From: Nick Hayer To: Declude.JunkMail@declude.com Sent: Tuesday, December 20, 2005 10:36 Subject: [Declude.JunkMail] does anyone punish email from these folks? I sure do get allot of spam from this ip space - are they legit and are lacking in their monitoring or ?Thanks --NickOrgName:WholeSale Internet OrgID: WHOLE-125 Address:1102 Grand Ave Suite 905 City: Kansas City StateProv: MO PostalCode: 64106 Country:US NetRange: 69.30.192.0 - 69.30.239.255 CIDR: 69.30.192.0/19, 69.30.224.0/20 NetName:WHOLESALEINTERNET No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
Re: Re[4]: [Declude.JunkMail] domain name a name
Postfix with postgrey does exactly this. Delays 5 minutes and maintains a db of subnet, sender & recipient combo. Mike - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Friday, February 11, 2005 13:56 Subject: RE: Re[4]: [Declude.JunkMail] domain name a name I meant to also add that I recently had many hours of planned downtime on my MTA in my absolute lowest ham window - late Saturday evening through early Sunday morning. I saw very little spam increase once the MTA was back up. This tells me that the spammers have not yet implemented full MTAs that retry their queued spam. An MTA that tells them to try again later (greylisting) would work well for me. If greylisting that was configurable by hours was available to me, I might turn it off during business hours for maximum "safety". I would also want a feature to gather addresses/domains/IPs from my outbound mail to create an autowhitelist*. Andrew 8) * http://eservicesforyou.com/ John Tolmachoff, do you still sell AutoWhite? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, February 11, 2005 6:49 AM To: Darin Cox Subject: Re[4]: [Declude.JunkMail] domain name a name On Friday, February 11, 2005, 9:28:28 AM, Darin wrote: DC> Hi Pete, DC> Right... but the first few typically slip through before they're DC> added to your filters (like they would for anyone)...so we add them DC> on the first report to us as well. I'll raise the feature request again --- as soon as I get my flameproof suit on: Declude should have a test/feature to delay a message by x hours if the sender is not recognized. This gives all filtering mechanisms time to adapt to new spam sources. Once the delay time has expired the message is passed through as if it were new so that the presumably updated BLs, filters, etc will have the ability to filter the message (if needed). To revive and put to rest past arguments about this: Big reason not to do this: It is unforgivable and in all other ways a bad idea to delay any message by any amount of time and huge amounts of money or even lives may be lost if this happens. To which I contend... If this is the first time you have ever received a message from a particular source then there is no expectation yet for the time to delivery and email systems in general may impose end-to-end delays of between minutes to hours depending upon many unknown factors at any time (queues, down servers, down connectivity, graylisting (force retry at first connect)). Since only _new_ connections would be effected, this feature would go almost un-noticed in the vast majority of cases. All other email sources, where there is an expectation, would be passed at full speed with normal filtering. Also, IF you happen to be in a position where you really can't afford to impose any delays on new messages then: A) You probably aren't filtering anyway since that would be dangerous [ a conflict in policy ] and B) You _can_ turn it off ;-) Those are my thoughts on that ( once again ). _M /M retreats to underground bunker & activates shields at full power. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] domain name a name
Perhaps a test that looks at the date of registration so new domains could be weighted higher. Mike - Original Message - From: "Nick" <[EMAIL PROTECTED]> To: Sent: Wednesday, February 09, 2005 12:25 Subject: Re: [Declude.JunkMail] domain name a name I am seeing more and more I guess one would call throw-away domains like: .hdcnsowp.com .hcnmvkofut.com .eisopfkcnjt.com .edhcbxgsyi.com These are generally in the body of an email; is there a way to determine if a domain is in readable format? I would not fail an email over this but it would be nice to punish the email at least to some degree - -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ed10.com - E-Dialog
Ok here Mike - Original Message - From: "DLAnalyzer Support" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 10, 2004 10:29 Subject: [Declude.JunkMail] ed10.com - E-Dialog Does anyone have any feedback on E-Dialog.com. It appears their are several reputable companies using them (NFL, Reuters, etc). Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Scam letter filter
Create a custom body filter that contains a list of the unique phrases, misspellings and names they use in the letters. Along with filters like Matt's at mailpure.com will catch most if not all of them. There is a website that has a lot of the phrases also, do a Google for 4_1_9 and N*i*g*e*r*i*a should turn up the address Mike - Original Message - From: "John Carter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 22, 2004 09:23 Subject: [Declude.JunkMail] Scam letter filter I've been looking at the archives about the N*i*g*e*r*i*a*n letter filters and saw a lot of discussion back in January, but couldn't tell what people concluded would be the best filter for this. Does anyone have anything to share? (Prefer a Declude only solution as I don't have SpamAssassin.) Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] weird random .htm attachments
yes Mike - Original Message - From: "Glenn Brooks" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 30, 2004 09:20 Subject: Re: [Declude.JunkMail] weird random .htm attachments > so you do a body filter? > > At 09:00 AM 3/30/2004 -0500, you wrote: > >I filter on this "+ String.fromCharCode(" > > > >This is common in all of them. Combined with other tests it catches most. > > > >Mike > > > > > > > >- Original Message - > >From: "Glenn Brooks" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Monday, March 29, 2004 20:02 > >Subject: RE: [Declude.JunkMail] weird random .htm attachments > > > > > > > Has anyone set up a filter to catch thesewe get a lot of them... > > > > > > gb > > > > > > > > > At 04:41 PM 3/29/2004 -0800, you wrote: > > > >Yes, I have been seeing them too. They are java scripts that run. > >Definitly > > > >spam. > > > > > > > >John Tolmachoff > > > >Engineer/Consultant/Owner > > > >eServices For You > > > > > > > > > -Original Message- > > > > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > > > > [EMAIL PROTECTED] On Behalf Of Kevin > > > > > Sent: Monday, March 29, 2004 4:37 PM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: [Declude.JunkMail] weird random .htm attachments > > > > > > > > > > Hi, > > > > > > > > > > Tried searching mail-archive.com for these but didn't turn up > >anything. > > > > > > > > > > Subject: pass on the fun [random subjects] > > > > > Body: This message has attach [random too] > > > > > [random attachments but always ends in .htm] > > > > > > > > > > I didn't open it with IE but with a text editor. > > > > > > > > > > Starts with contractions = new > >Array(162, > > > > > [whole bunch of numbers] > > > > > > > > > > ends with > > > > > > > > > > charters = 907; > > > > > beetle = 243; > > > > > var equal = ""; > > > > > for(bowl = 0; bowl < charters; bowl++) > > > > >equal = equal + String.fromCharCode(contractions[bowl] ^ > > > > > preferential[bowl % beetle]); > > > > > document.write(equal); > > > > > > > > > > > > > > > Sniffer catches these under rule 62 (Experimental) but it's not enough > >to > > > > > hold these. > > > > > > > > > > Any ideas? What does one see when they view this under IE? > > > > > > > > > > > > > > > --- > > > > > [This E-mail was scanned for viruses by Declude Virus > > > >(http://www.declude.com)] > > > > > > > > > > --- > > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > > > at http://www.mail-archive.com. > > > > > > > >--- > > > >[This E-mail was scanned for viruses by Declude Virus > > > >(http://www.declude.com)] > > > > > > > >--- > > > >This E-mail came from the Declude.JunkMail mailing list. To > > > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > >type "unsubscribe Declude.JunkMail". The archives can be found > > > >at http://www.mail-archive.com. > > > > > > Glenn Brooks > > > WebWize, Inc. > > > 713-688-4382 > > > http://www.webwize.com > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > > >--- > >[This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.JunkMail". The archives can be found > >at http://www.mail-archive.com. > > Glenn Brooks > WebWize, Inc. > 713-688-4382 > http://www.webwize.com > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] weird random .htm attachments
I filter on this "+ String.fromCharCode(" This is common in all of them. Combined with other tests it catches most. Mike - Original Message - From: "Glenn Brooks" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, March 29, 2004 20:02 Subject: RE: [Declude.JunkMail] weird random .htm attachments > Has anyone set up a filter to catch thesewe get a lot of them... > > gb > > > At 04:41 PM 3/29/2004 -0800, you wrote: > >Yes, I have been seeing them too. They are java scripts that run. Definitly > >spam. > > > >John Tolmachoff > >Engineer/Consultant/Owner > >eServices For You > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > > [EMAIL PROTECTED] On Behalf Of Kevin > > > Sent: Monday, March 29, 2004 4:37 PM > > > To: [EMAIL PROTECTED] > > > Subject: [Declude.JunkMail] weird random .htm attachments > > > > > > Hi, > > > > > > Tried searching mail-archive.com for these but didn't turn up anything. > > > > > > Subject: pass on the fun [random subjects] > > > Body: This message has attach [random too] > > > [random attachments but always ends in .htm] > > > > > > I didn't open it with IE but with a text editor. > > > > > > Starts with contractions = new Array(162, > > > [whole bunch of numbers] > > > > > > ends with > > > > > > charters = 907; > > > beetle = 243; > > > var equal = ""; > > > for(bowl = 0; bowl < charters; bowl++) > > >equal = equal + String.fromCharCode(contractions[bowl] ^ > > > preferential[bowl % beetle]); > > > document.write(equal); > > > > > > > > > Sniffer catches these under rule 62 (Experimental) but it's not enough to > > > hold these. > > > > > > Any ideas? What does one see when they view this under IE? > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > >--- > >[This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.JunkMail". The archives can be found > >at http://www.mail-archive.com. > > Glenn Brooks > WebWize, Inc. > 713-688-4382 > http://www.webwize.com > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] MyDoom / Novarg
Search Google and you'll see that many others seem to think they're viri only too. And of the legit zips I examined on my system they don't have those sequences. Irregardless I block all executable attachments anyways at my mx. This was strictly for the ones that are bypassing my mx records and sending directly to my mailbox server. Mike - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 27, 2004 5:17 PM Subject: Re: [Declude.JunkMail] MyDoom / Novarg > > >This string is in the beginning of first line of the body of infected emails > >all buts the zips > > > >T_V_q_Q_A_AME > > > >This is in the beginning of the first line of the .zips > > > >U_E_s_D_B_AoAA > > > >Both of these strings produce virus hits on Google > > IIRC, those are just the encoded beginnings of .exe and .ZIP files -- and > could catch legitimate .exe and .zip files. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask about our free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] MyDoom / Novarg
This string is in the beginning of first line of the body of infected emails all buts the zips T_V_q_Q_A_AME This is in the beginning of the first line of the .zips U_E_s_D_B_AoAA Both of these strings produce virus hits on Google NOTE: remove the underscores to get the actual string. I put these in a separate body filter with a delete action. Every one held today was a virus. Mike - Original Message - From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 27, 2004 4:01 PM Subject: [Declude.JunkMail] MyDoom / Novarg > I have been successful trapping most of these viruses with a body filter > filtering on the > > Mail transaction failed. Partial message is available. > > and > > has been sent as a binary attachment > > I placed the extra spaces so they will not get caught by other filters on > this list. I then use ROUTETO to send the messages to an account I monitor > for false positives. > > Out of about 100 catches so far no false positives. > > > Kevin Bilbee > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Jim Priest > > Sent: Tuesday, January 27, 2004 12:10 PM > > To: Chuck Schick > > Subject: Re[2]: [Declude.JunkMail] evaluating declude > > > > > > Tuesday, January 27, 2004, 2:42:18 PM, Chuck wrote: > > CS> Here are some of my general guidelines. > > CS> 4. ) A few pieces of Spam are always going to get through > > because spammers > > CS> are always changing their methodology. We are in a reactive mode. > > > > Chuck, thanks for all the info. Been digging through some of the > > archives and learning more. > > > > Another quick question - how many people use the 'hold' action - and > > how do you manage any spam which gets held? I've found some software > > called 'Spam Review' which looks helpful. > > > > jim > > > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Manual
Scott: Your abilities as a writer are fine. I have seem many of your explanations on use of features and for most I think they would suffice. They just need to be put in the online manual at the same time you post a message to the list. I agree that beta features should not be in the main manual but could be listed in a separate change.log file or in a beta/interim release file. Mike - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 23, 2004 3:02 PM Subject: Re: [Declude.JunkMail] Manual > > >I have not renewed my Junkmail SA due to the lack of an updated manual. > > > >If Scott would spend the same amount of time updating the manul as he does > >explaining to the list how features work, the manual would be current. > > > >Monitoring and researching list archives is fine for free or diy software > >but for a paid product with stable features it's unacceptable. > > There seem to be two main issues with the manual. > > [1] It needs an overhaul by a technical writer. > [2] It does not include all the features that are available in the latest > beta, and > > #1 is something that has been an issue for some time. We actually did look > for a technical writer a while back, but there was a snag that prevented it > from being completed. We are definitely planning on addressing this. > > As far as #2 goes, unfortunately, if we add beta features to the manual, > there are several problems. First, customers are going to get frustrated > that they cannot use features shown in the manual (which would cost us more > for support, too). Second, we would have to make many changes to the > manual as beta features are altered. Third, I'm sure that if we were to > add beta features to the manual, a lot of people would then expect them for > interim releases. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask about our free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Manual
I have not renewed my Junkmail SA due to the lack of an updated manual. If Scott would spend the same amount of time updating the manul as he does explaining to the list how features work, the manual would be current. Monitoring and researching list archives is fine for free or diy software but for a paid product with stable features it's unacceptable. Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spammer network
For what its worth this is the info of a spam host that harvested one of my emails from the whois database and will spam using different domain names to get around unsubscribe requests. Here's the current one: Received: from Mailer3.gd-aol.com (52.gd-aol.com [66.63.163.52]) Here's one from a month ago: Received: from mailer16.i-jst5.com (unknown [66.63.167.61]) The host is below. OrgName:OC3 Networks & Web Solutions, LLC OrgID: ONWSL Address:6279 Variel Ave Address:Suite H City: Woodland Hills StateProv: CA PostalCode: 91367 Country:US NetRange: 66.63.160.0 - 66.63.175.255 CIDR: 66.63.160.0/20 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] wanadoo.fr
And a big source of spam from those dialup and dsl IPs Mike - Original Message - From: "serge" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 10, 2003 10:19 PM Subject: Re: [Declude.JunkMail] wanadoo.fr > this this france telecom (french at&t) internet services > largest isp in france, with dialup and dsl customers > > > - Original Message - > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, December 10, 2003 5:17 PM > Subject: [Declude.JunkMail] wanadoo.fr > > > > Any one see legit coming from this domain? All I see are spam. > > > > John Tolmachoff > > Engineer/Consultant/Owner > > eServices For You > > > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Character set/unicode testing?
Mark: I get a fair amout of this also. Mine seems to come mostly from broadband lines (rr, verizon, charter, comcast, attbi) so I ip block at the /24 level (class c). Of course it's after the fact. But should block some future spam. I also have a subject filter to add weight for non western char sets. Seems to help catch some. Mike - Original Message - From: "mark_smith" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 17, 2003 9:12 AM Subject: [Declude.JunkMail] Character set/unicode testing? > Sending this again. > Any ideas? > > > Is there any way to filter based on character set, code page, etc? > > I'm getting swamped with tons of Cyrillic spam lately and it's > > passing my RBL's recently. > > > > I can't filter by code word or phrase and the MAILFROM field > > is random. > > > > Any thoughts? > > > > Here's a sample > > > > -0- > > > > ETOpJa8Lj9twl9fIQ > > Продам или сдам помещение (офис, мед. центр и.т.д.) м. > > Красногвардейская. Ореховый бульвар, д.59, (7-10 мин. > > пешком). 352,8 кв. м. 1-й этаж ж/д (нежилой фонд), 2 отд. > > входа с улицы , большие окна, отдельный блок, рабочее > > состояние, любое количество телефонов, ПА, удобный подъезд и > > парковка. Можно делить помещение на 2 части. > > Продажа 1100$ кв. м, возможна аренда: 200$ кв. м. /год (с торгом). > > Татьяна Александровна: rcl506TD940837 > > TIGQEcqiUgIFpRrJ > > > Nf≈╠ф²Г╒╩╝К╠╪yиuЕ╝К╤зЪ uГ╧в╒d┼аj)jg╝┴┘Юr[x⌡░ф√f√)√+N▀╡Фr╦z;╤гu╘≥╗╤┬j)╝Вr[yйjwй≈·к╠йmЮr[x⌡░ф∙8j╥┼Вq╘ yЗ²ж├шЪЭбf∙╙├+ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How to config subjectchars test
Can specific characters be specified? If so how? If not a feature request to look for a specified char and the count, just like the subjectspaces test. Could be useful for "U*n*i*v*e*r*s*i*t*y d*i*p*l*o*m*a" Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
Sorry, just noticed, this was in the "subject". Mike - Original Message ----- From: "Mike K" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 16, 2003 3:32 PM Subject: Re: [Declude.JunkMail] OBFUSCATION filter > May want to account for foreign languages also. I just received this spam > while I was adding your URL obfuscation filter. > > Недорогие > звонки > зарубеж! > > Mike > > > - Original Message - > From: "Matthew Bramble" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, September 15, 2003 12:40 PM > Subject: Re: [Declude.JunkMail] OBFUSCATION filter > > > > Pete, > > > > It's not redundant because the two by themselves only check for strings > > of two, while the combination checks for strings with one of each in > > succession. This way, if they go back and forth between the two, it > > will get caught as long as there is a "." or "@" between them, or as > > long as it is URL encoding followed by HTML encoding. I left out the > > other way around because it was only a two character string, ";%" and > > wanted to protect from FP's. > > > > I do appreciate the feedback though...I do of course make mistakes. > > > > Matt > > > > Pete McNeil wrote: > > > > > Matt, > > > > > > It appears that your coding for a combination of http & url encoding > > > in urls is redundant since you capture both types individually. It's a > > > small optimization, but worth mentioning. > > > > > > _M > > > > > > At 07:46 PM 9/14/2003 -0400, you wrote: > > > > > >> I've posted a newer version of the OBFUSCATION filter on my site. > > >> This contains the removal of the attachment thing and also the > > >> removal of 6 (of over 100) tests in order to be more forgiving, sans > > >> the PayPal issue. > > >> > > >> > http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003c.txt > > >> > > >> > > >> If you find any false positives with this besides the Ticketmaster > > >> one that I've already counterbalanced, please let me know. I would > > >> imagine that posting to this group would be better than PM's unless > > >> others mind having discussion here. That way everyone would know > > >> about any issues ASAP. > > >> > > >> Thanks, > > >> > > >> Matt > > >> > > >> --- > > >> [This E-mail was scanned for viruses by Declude Virus > > >> (http://www.declude.com)] > > >> > > >> --- > > >> This E-mail came from the Declude.JunkMail mailing list. To > > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > >> type "unsubscribe Declude.JunkMail". The archives can be found > > >> at http://www.mail-archive.com. > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > > > (http://www.declude.com)] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
May want to account for foreign languages also. I just received this spam while I was adding your URL obfuscation filter. Недорогие звонки зарубеж! Mike - Original Message - From: "Matthew Bramble" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 15, 2003 12:40 PM Subject: Re: [Declude.JunkMail] OBFUSCATION filter > Pete, > > It's not redundant because the two by themselves only check for strings > of two, while the combination checks for strings with one of each in > succession. This way, if they go back and forth between the two, it > will get caught as long as there is a "." or "@" between them, or as > long as it is URL encoding followed by HTML encoding. I left out the > other way around because it was only a two character string, ";%" and > wanted to protect from FP's. > > I do appreciate the feedback though...I do of course make mistakes. > > Matt > > Pete McNeil wrote: > > > Matt, > > > > It appears that your coding for a combination of http & url encoding > > in urls is redundant since you capture both types individually. It's a > > small optimization, but worth mentioning. > > > > _M > > > > At 07:46 PM 9/14/2003 -0400, you wrote: > > > >> I've posted a newer version of the OBFUSCATION filter on my site. > >> This contains the removal of the attachment thing and also the > >> removal of 6 (of over 100) tests in order to be more forgiving, sans > >> the PayPal issue. > >> > >> http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003c.txt > >> > >> > >> If you find any false positives with this besides the Ticketmaster > >> one that I've already counterbalanced, please let me know. I would > >> imagine that posting to this group would be better than PM's unless > >> others mind having discussion here. That way everyone would know > >> about any issues ASAP. > >> > >> Thanks, > >> > >> Matt > >> > >> --- > >> [This E-mail was scanned for viruses by Declude Virus > >> (http://www.declude.com)] > >> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] JM held mail viewer
Perfect, Thank you. Mike - Original Message - From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 16, 2003 10:11 AM Subject: Re: [Declude.JunkMail] JM held mail viewer > Yes, there is a neat little decode app from Funduc Software that supports > decoding of several encoding types, and it integrates nicely into the > Windows Explorer right-click feature (so if you right-click on a file, one > of your options is "Decode"). You can find it at www.funduc.com under the > "Free Stuff" section (which makes it even better). > > Bill > - Original Message - > From: "Mike K" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, September 16, 2003 7:00 AM > Subject: [Declude.JunkMail] JM held mail viewer > > > > Is there a util that allows viewing/decoding of base64 encoded D*.SMD > spool > > files thats been held by JM? > > > > Mike > > > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] JM held mail viewer
Is there a util that allows viewing/decoding of base64 encoded D*.SMD spool files thats been held by JM? Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] URL's in Body as IP4r type..
Title: Message I've been blocking based on content for a few years. The open relays/proxies/hacked servers/spam friendly networks just keep moving ips. Much more logical but resurce intensive to block on content. The message is the real problem not the messenger. And it is much more difficult to hide the url/email address using junk embedded comments. Mike - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Friday, July 11, 2003 9:05 AM Subject: [Declude.JunkMail] URL's in Body as IP4r type.. Hi; I am just brainstorming.. Pro.. con? We know one thing about spam.. someone is trying to sell something.. so in every spam there has to be a way for the spammer to be contacted through: 1: Web site visit (URL or IP), 2: email 3: Phone number In general I have seen no more than one or two of the above unique entries in a single spam. In the absence of a point of contact there is no point in the broadcasted mass mail. Of course the above is the obvious .. While all IP4r tests concentrate on finding the point of origin of the email what if we try to block the email content? So what if.. 1: An added program be written as an add-on to Declude that extracts the unique emails, URL's, IP's or phone numbers from the body of the email. 2: Sends these numbers as query to a server much like the IP4r tests for response. Would this not work? I know with our filter tests we have pretty much blocked all spam. In the last month I have had one spam that came through and the rest are all blocked. So if we are to expand on this the logical step, in my opinion, is to have a centralized check point for all the entries we have. We can brainstorm about this and bring out bad, good, what if's, .. may be collectively we can solve this problem. Bad idea!? Regards, Kami
Re: [Declude.JunkMail] Idea for a test...
Scott: You may just want to build support for unix style regular expressions. Complicated, but they can do this and much more. Note: Len's IMGate solution can do this also but with half the cpu horsepower that NT/2K require. I use IMGATE as a front end to IMAIL/Declude do exactly this. Expression matching does get cpu intensive if you don't limit it to say the first 5K bytes (scanning a 5 meg attachment for ex.) or so and make sure it runs after less resource intensive tests (rbls). Mike - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 24, 2003 10:36 AM Subject: Re: [Declude.JunkMail] Idea for a test... > > >As we all know the spammers insert special characters in the middle of > >subject words to bypass the filters, e.g. P/O/R/N, or all sort of other > >variations. > > > >Can a test we devised, similar to the COMMENT test that counts the number > >of special characters or detect similar characters appearing in the middle > >of words. > > > >I guess one way to approach this is to first count if there are more than > >1 or 2 special characters and if yes then determine if they are followed > >by text. > > > >This could be a weight test. > > This does sound like a good idea. Our spamtraps don't seem to get much > spam like that, but a test looking for non-alphanumeric characters that are > surrounded by alphanumeric characters might make some sense (which would > catch "P/O/R/N"). > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Opinion on bulk mailers
What is everyone's opinion on bulk mailers like flowgo, gossipflash, valoffers, quill? The joke lists, cell phone offers, travel offers, software offers, etc. The old saying one mans trash is anothers treasure comes to mind. While I as an isp admin think it's trash, and optin is the only true legit method, a user might want this stuff. Most if not all are listed on the RBLs. And has anyone successfully unsubscribed from their lists? Topica is a good example, at first they appeared to be spammers then they seemed to have cleaned up theit act. I even see some of their e-mails come through with the Habeas signature embedded. However some of the emails seem of questionable content. Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spoofed IP's
Spamcop will send notices based on IP and domain name. I had several notices because of a "joe job" using our domain name with a forged return email address. If it's a legit Spamcop notice then just reply as appropriate. Usually these complaints originate from clueless aol users. They look at the forged "From" address and send a complaint. Mike - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, January 09, 2003 9:37 PM Subject: Re: [Declude.JunkMail] Spoofed IP's > > >We have a problem, where SpamCop or someone, will contact us claiming they > >have received spam from our IP range. I investigate only to find out what I > >expected, there is no server, client, or anything on that subnet. Infact we > >haven't allocated that subnet yet, it sits unused. > > You may want to check out http://spamcop.net/fom-serve/cache/338.html , > which shows a sample "real" report from SpamCop -- there was a spammer that > was sending out lots of fake SpamCop notices a while back, he may have > started up again. > > >My immediate suspicion is that the address is spoofed. We have bogon filters > >on the edge of our network, so I am 99.9% sure that these are spoofed > >addresses. > > > >Do any of you experience this too? Any suggestions? I get about 2 or 3 > >claims a week and it's just bothersome. > > My guess would be either that it was a spoofed report (not from SpamCop), > or that it isn't related to your IP (for example, I've heard that SpamCop > will report web sites that are listed in spam). > > IP spoofing is usually very, very difficult to do -- doable by a > knowledgeable hacker with the right compromised servers, nearly impossible > for a script kiddie, and probably impossible for any spammer. It is next > to impossible to do with a Windows computer, and Windows computers are what > spammers and script kiddies tend to have for compromised servers. Even if > a spammer knew how to do it, the drawbacks of doing so would likely well > outweigh the benefits. > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Recommendation on RBLs
In everybody's opinion, what RBLs have to lowest rate (possibly zero) of false positives? I use Junkmail and IMGate and want to block the real obvious junk (at IMGate) while giving my users more control options on the "grey" stuff. Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IPBYPASS
Is it possible to use CIDR in IPBYPASS Ex: 192.168.0/24 Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ??? on RBLs
While I know this is usually based on personal preference, and highly subjective, but what do others find as the most reliable RBLs but with the minimum of false positives? Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] filter question
Can Junkmail pro filters (for msg body) use wildcards? Is there a reference? I want to create a filter (to hold) msgs that have embedded urls with IP addresses in them. I can do this is my IMGate machine but want to see what I catch first. Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Wordfilter bypassed
A spam I received yesterday had these comments in it also. However one thing I noticed was that the spam had a url that started off with the standard http then was followed by PercentHexHexPercentHexHexPercentHexHexPercentHexHexPercentHexHex and so on. This should be very easy to filter on as no legit mailer should be hiding urls like that. Mike - Original Message - From: "Madscientist" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 19, 2002 8:47 PM Subject: RE: [Declude.JunkMail] Wordfilter bypassed > | > | However, that's the way spam control is heading. As more and > | more people > | get fed up with spam, more and more of the bozos that are > | doing things the > | wrong way will need to fix their problems. > | > | I can understand an HTML E-mail having one or two comments in > | it, but 10 or > | 20 is just a waste of bandwidth. That is information the > | recipient will > | never see. > | > | -Scott > > Where we got into trouble was with big corporate iron... (IBM, Sun, > Microsoft, etc...) The comments in those messages were part of the code > base generating the messages and I can imagine (as a web developer also) > that they are pretty vital to the developers in their ongoing > maintenance efforts. It's not uncommon to see quite a few of them. As we > increased the threshold to accommodate the legitimate messages we were > capturing we soon reached a level where legitimate and non-legitimate > were practically indistinguishable. All I'm saying here is that since > HTML email is here to stay, and HTML comments are legitimate and > sometimes required for coding standards, a simple count of HTML comments > will not be a valid spam test in most cases. This has been our > experience - your mileage may/will vary. > > _M > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] filtering for comments in HTML email
The recent thread on the spam html e-mails that have comments scattered throughout the words. I just had one of these spams sent to me. Filter on the hyperlink thats embedded within. The spam sent to me had a url like this http://%4C%50%4D%43%34%4F%73%56%78% You can filter on this as NO legit mailer should be creating urls like this. Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why did this get nabbed by my pornfilter?
Had a similar occurance on filtering for theose stupid spam penny stock tips that always contain "O*T*C" Found out that attachments sometimes morphed to contain that string. Lesson learned, be more specific. Mike - Original Message - From: "Sharyn Schmidt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 15, 2002 8:15 AM Subject: RE: [Declude.JunkMail] Why did this get nabbed by my pornfilter? > Statistically it should not happen often, > but it can happen occasionally. The longer the string you search on, > the > less likely it will happen. > -Scott > > > > Thanks, Scott. This is the very first time something like this has > happened so I'm not going to worry about it. Just making sure I didn't > miss something obvious :) > > Sharyn > > > We are the worldwide producer and marketer of the award winning Cruzan > Single Barrel Rum, judged "Best in the World" at the annual > San Francisco Wine and Spirits Championships. For > more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.