Re[2]: [Declude.JunkMail] High % of spam from this IP range:
64.119.192.0/19 = iwayhosting.com covers all those Been in my banned ip list for a while now. Rick Rountree *** REPLY SEPARATOR *** On 12/6/2003 at 3:04 PM George Kulman wrote: Marc Don't forget 64.119.208.0/24 George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Saturday, December 06, 2003 2:42 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] High % of spam from this IP range: 64.119.209.70 64.119.210.70 64.119.222.157 64.119.194.100 64.119.210.70 64.119.217.134 64.119.222.156 64.119.222.157 Out of about 40 held messages this morning these IP's were in about 10 of them. I'm going to add the following to a weighted (10) IP file so it will pass my delete weight if it fails just about any other test. A 64.119.209.0/24 64.119.210.0/24 64.119.222.0/24 64.119.194.0/24 64.119.217.0/24 After closer inspection, some of these ranges are already in one file, sigh... I hate spam... Maybe it's the blizzard, but I just felt like sharing this with all of you. Those of you on the east with me, stay safe and warm. Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RBL's
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, October 20, 2003 2:15 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] RBL's The updated global.cfg file defines the tests, which will run them and use them towards the weighting system. If you also want to take an action based on those tests (such as WARN or HOLD), you would also need to update your $default$.JunkMail file. -Scott Scott, You still have the monkeys.com entries in your default global.cfg. Didn't they go dark a few weeks ago? Rick Rountree Dundee.Net --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fw: [SAtalk] OSIRUSOFT -- should they be used any more?be used any more?
There have been similar posts on NANOG indicating xxx.osirusoft.com are returning all 127.0.0.2. Apparently they are under a massive DDOS attack Rick Rountree Sr Network Admin Dundee.Net At 08:38 PM 8/26/2003, you wrote: FYI, looks like Joe Jared (of Osirusoft) is finally hanging it up. Bill - Original Message - From: James Miller [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 4:07 PM Subject: RE: [SAtalk] OSIRUSOFT -- should they be used any more? Update OSIRUSOFT issue: I decided to go ahead and call Joe Jared since now our primary mail server is now listed as well and I can't get mail to him. - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 553 5.3.0 [EMAIL PROTECTED]... Mail from nitwit spammer 198.83.204.156 refused see http://relays.osirusoft.com/cgi-bin/rbcheck.cgi?addr=198.83.204.156) - Transcript of session follows - ... while talking to relays.osirusoft.com.: MAIL From:[EMAIL PROTECTED] SIZE=1524 553 5.3.0 [EMAIL PROTECTED]... Mail from nitwit spammer 198.83.204.156 refused see http://relays.osirusoft.com/cgi-bin/rbcheck.cgi?addr=198.83.204.156 501 5.6.0 Data format error I find this quite silly, I scanned our mail logs and I can say with certainty that spam is/has not been coming from our site. Anyway, when I called Mr. Jared, he stated that everyone needs to stop using Osirusoft and that he's going to be shutting the service down. And I got the impression that he's soon going to get his point across by blacklisting the world. I'm not alone in this problem, a check on google groups will tell all. http://groups.google.com/groups?dq=hl=enlr=ie=UTF-8oe=UTF-8safe=offfra me=rightth=b43eeebc8f1bd08cseekm=3LN2b.9658%24Ly2.1506055%40cletus.bright. net#link1 If you are using osirusoft to pull the Spamhaus SBL, and announcement was made by Steve Linford to stop using Osirusoft several weeks ago. SpamAssassin is used by thousands of admins and the use of Osirusoft needs to be reconsidered, especially with a new release coming out soon. I would appreciate any comments about this. Regards, Jim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James Miller Sent: Tuesday, August 26, 2003 4:33 PM To: [EMAIL PROTECTED] Subject: [SAtalk] OSIRUSOFT -- should they be used any more? With all the trouble OSIRUSOFT is having, is it time to stop using them? As of 12:40 this afternoon our mail server stopped accepting mail from our main web server because it was listed on osirusoft. How I don't know since it doesn't run an SMTP server -- it's protected by a dmz firewall which allows 80-443 in, smtp 25 to our internal mail server and 1024 out to the world, it's completely upto date, runs Norton virus scanner and tcpdump over 3 hrs only shows it sending messages to our internal mail server. It's hard coded to send billing, cancellation, reactivation messages to exactly one mail server on the inside of our firewall. news.admin.net-abuse.email is filled with messages/complains about them from companies complaining that Joe Jared (founder of osirusoft and spews) isn't responding to request to find out why their listed and how to get off the list. Also, it seems they are facing several law suites from several large corporation. And to add to it, they are (have been since Friday) under a DDoS attack, their web site is down, mail is not flowing to them (because of the attack I assume) and I don't know what to do to get us off the list before our class 'C' networks get added short of calling him or sending a fax. But I've been told that he will permanently black list anyone who calls or faxes him directly. I have complete removed all osirusoft check in SA and Sendmail. It may be time to completely remove them from SA all together. Regards, Jim James Miller, MCSE Network Administrator Simutronics Corporation www.play.net 636.946.4263 x113 --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from
[Declude.JunkMail] Fwd: SBL soon only from sbl.spamhaus.org
This was posted on NANOG today. Another MUST READ if you use the OSSOFT test or any other tests utilizing the Spamhaus SBL. Rick Rountree Dundee.net Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Anti-Virus: Scanned for known viruses by sentinel.ultradesign.net Date: Wed, 6 Aug 2003 18:42:07 +0100 To: [EMAIL PROTECTED] From: Steve Linford [EMAIL PROTECTED] Subject: SBL soon only from sbl.spamhaus.org Sender: [EMAIL PROTECTED] X-Loop: nanog X-Declude-Sender: [EMAIL PROTECTED] [198.108.1.26] X-Spam-Tests-Failed: IPNOTINMX, LOCALFILTER, COUNTRY [-9] X-Note: Total spam weight of this E-mail is -9. X-Country-Chain: UNITED KINGDOM-UNITED STATES-destination X-RCPT-TO: [EMAIL PROTECTED] If you currently use the SBL by querying the master zone sbl.spamhaus.org then you can ignore this message. If you are using the SBL via 3rd party composite DNSBLs and not directly from sbl.spamhaus.org, then please read this as the following change affects your DNSBL setup. For a long time the SBL has been available either directly from Spamhaus (as sbl.spamhaus.org) or via 3rd party composite zones such as relays.osirusoft.com (as spamhaus.relays.osirusoft.com) and blackholes.easynet.nl which import SBL data from Spamhaus. This distribution is now changing. In order to better manage SBL logistics, DNSBL zone and query traffic, from Monday 11 August 2003 the SBL should only be available from sbl.spamhaus.org. The fact the SBL was available from multiple DNSBLs was causing some confusion, plus other small factors (such as the different zones having different build times - which for example meant that we'd tell someone an IP had been removed, but they'd contact us a few hours later to say it was still blocked), plus the likely emergence of further composite lists which may add confusion, meant that it was time to make a change now rather than in a year or two. So, if you are not using sbl.spamhaus.org but would like to continue using the SBL, please add sbl.spamhaus.org to your mail server's DNSBL list. -- Steve Linford The Spamhaus Project http://www.spamhaus.org --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Fwd: BLOCK: ANNOUNCE: Major Policy Change for the Monkeys.comUPL
Posted today on SPAM-L. A must read for folks who use MONKEYPROXIES. Rick Rountree Sr Network Admin Dundee.Net Date: Sun, 3 Aug 2003 15:37:32 -0700 Sender: Spam Prevention Discussion List [EMAIL PROTECTED] From: Ronald F. Guilmette [EMAIL PROTECTED] Subject: BLOCK: ANNOUNCE: Major Policy Change for the Monkeys.com UPL X-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [209.119.0.109] X-Spam-Tests-Failed: Whitelisted [0] X-Note: Total spam weight of this E-mail is 0. X-Country-Chain: UNITED STATES-destination X-RCPT-TO: [EMAIL PROTECTED] The listing policy and criteria for the Monkeys.Com Unsecured Proxies List has been revised and updated. The new listing policy may be inspected here: http://www.monkeys.com/upl/listing-policy.html The major policy change now being adopted is that from now on, the UPL will list both unsecured proxies, and also the IP address blocks of Internet service providers (specifically web hosting companies, in almost all cases) which have substantial and significant open proxy hijacking activity that appears, based on data from my own extensive open proxy honeypot network, to be originating from the IP address blocks of the relevant provider(s). (Please note that this policy change will actually take effect as of Midnight, Pacific Daylight Time, Tuesday August 5th, 2003.) As many of you may have noticed, I have in recent weeks been publish- ing detailed ranking information regarding the specific /24 IP address blocks that the data from my proxy honeypot network indicate are the worst offenders with regards to open proxy hijacking. The publication of that information, along with my numerous e-mailed notifications to the specific service providers associated with these worst offender IP address blocks has already resulted in the termination of several large-scale spammers and open proxy hijackers by their respective ser- vice providers, together with a significant associated reduction in proxy-hijack spam throughout the Internet. In general, I have found that service providers (which are almost ex- clusively web hosting companies in these cases) _are_ willing and able to take effective action to terminate proxy hijacking from their net- works, when and if they are informed of it. But I have also found numerous exceptions to that general rule, i.e. service providers that completely refuse to take any action whatsoever (not even blocking outbound connects to known abusable proxy ports) to stop the criminal activity from their networks. Based on these cases, it now appears completely clear that many service providers lack any real motivation whatsoever to end the practice of criminal proxy hijacking from their respective networks. For them, the hosting of criminal open proxy hi- jackers has essentially NO downside whatsoever, and on the upside it seems likely that such hosting arrangements can be VERY lucrative for the service providers involved. The present change to the UPL listing criteria is designed to change this equation, and to provide at least some motivation to service providers to take appropriate action, as needed, to effectively address the problem of criminal conduct origina- ting from their respective networks. I fully and firmly believe that in most of these cases, it will only take a gentle nudge (to be provided by the UPL) in order to get the providers to Do The Right Thing with respect to criminal open proxy hijacking. Having said all that, I am most acutely aware of the fact that many current and prospective users of the UPL will have legitimate concerns about this significant policy change. Many may worry that the current 100% objective listing criteria for the UPL may become subjective to the point where ongoing use of the UPL becomes hard to defend or justify. Many will certainly also worry that this change will necessarily mean a significantly increased ``loss'' of legitimate incoming e-mail. I believe that all such concerns will in fact prove to be totally unfounded. In fact, I sincerely believe that within just two weeks after the present UPL policy change goes into effect, UPL users and others will actually see an overall DECLINE in the numbers of incoming e-mails being rejected due to any and all open proxy DNSbl lists being used at any given site, and thus an overall REDUCTION in the probability that any specific e-mail rejection may result in the ``loss'' of legitimate non-spam e-mail. When discussing the delicate issue of the possible ``loss'' of legitimate e-mail, it is important for current and future users of the UPL to fully appreciate that even the use of the UPL as it stands today, and with its current operating policies, may occasionally result in the bounce-back (not really ``loss'') of some perfectly legitimate non-spam incoming e-mails. The trade-off between that possibility and the benefits of avoiding the reception of large amounts of spam is one that users
[Declude.JunkMail] More on comments test
Scott, I have the comments test set up like this: COMMENTScommentsweight x 0 0 As I understand it, this essentially counts the number of comments and adds the total to the weight of the message. If I'm understanding this correctly, then I think it isn't working properly. I am currently using COPYTO to send any message flagged as failing comments to me. I received one the Norton System Works spams from South America this morning that contained 133 instances of !--XaULbS-- used in the manner of what you're trying to catch, like so: P ALIGN=CENTERFONT SIZE=5 PTSIZE=16N!--XaULbS--or!--XaULbS--to!--XaULbS--n S!--XaULbS--ys!--XaULbS--te!--XaULbS--m!--XaULbS--W!--XaULbS--or!--XaULbS--k!--XaULbS--s 2!--XaULbS--00!--XaULbS--3 S!--XaULbS--of!--XaULbS--tw!--XaULbS--are Su!--XaULbS--it!--XaULbS--e P!--XaULbS--ro!--XaULbS--fe!--XaULbS--ss!--XaULbS--ion!--XaULbS--al E!--XaULbS--dit!--XaULbS--io!--XaULbS--nBR However, the total weight of this email was only 16. Am I understanding this incorrectly? Rick Rountree Sr Network Admin Dundee.Net --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IP Range to CIDR Conversion
Thanks Terry, I opted to use the cn-kr.blackholes.us. Thanks for the info! FWIW, I had to change the line: CN-KR ip4r cn-kr.blackholes.us 127.0.0.2 13 0 to read CN-KR ip4r cn-kr.blackholes.us * 13 0 to get it to work. Apparently the zone returns 127.0.0.2 and 127.0.0.3 depending on the country. Thanks again Rick Rountree IANAP (I am not a programmer) At 09:32 AM 1/26/2003 -0600, you wrote: RR 2) If anyone has a JunkMail style file to share which includes all RR of China's, Korea's, )and other Asian countries that are prone to RR open relays) assigned IPs (better) I just block them all. In your config file: CN-KR ip4r cn-kr.blackholes.us 127.0.0.2 13 0 assigns weight 13 for instance to China and Korea - add test in $junkmail see www.blackhoes.us for others RR 3) Read in my MailShield file and spit out a JunkMail style file. (best) It would not be hard to do really. Are you a programmer? Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IP Range to CIDR Conversion
Scott (or anyone else who may know), I'm trying to convert my list of banned IPs from MailShield format for use in JunkMail. MailShield uses a text file with single IPs and IP ranges like this: 61.128.0.0-61.159.255.255 62.4.16.95 I want to convert these to JunkMail format like this: 61.128.0.0/11 62.4.16.95/32 I've used the CIDR/Netmask lookup on dnsstuff.com, but that's slow and tedious. I'm looking for a tool which I can either: 1) paste in the range, i.e., 61.128.0.0-61.159.255.255 and get the CIDR bit output (good) or 2) If anyone has a JunkMail style file to share which includes all of China's, Korea's, )and other Asian countries that are prone to open relays) assigned IPs (better) or 3) Read in my MailShield file and spit out a JunkMail style file. (best) I've also tried several IP convertors I found while Googling but none seem to take an IP range in this form (61.128.0.0-61.159.255.255) as valid input. So...which one of you folks already know how this can be done so I can stop beating my head up against the wall! g Best regards, Rick Rountree Dundee.Net Go Raiders! --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.