RE: [Declude.JunkMail] Need strategy to up score.
The PCRE for yahoo.co.uk might just be the ticket. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, April 09, 2008 8:58 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Need strategy to up score. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Need strategy to up score.
Here's a filter I use:
# attack Yahoo spammers
SKIPIFWEIGHT315
MAXWEIGHT 150
#
# exclude the big emails and those with good attachments
TESTSFAILED END CONTAINSMPPT-SIZE-L
TESTSFAILED END CONTAINSMPPT-SIZE-XL
TESTSFAILED END CONTAINSMPPT-SIZE-XXL
TESTSFAILED END CONTAINSATTACHMENT-GOOD
#
MAILFROMEND NOTCONTAINS @YAHOO.
REVDNS END NOTCONTAINS .YAHOO.
# Reverse Good tests
TESTSFAILED 15 CONTAINSMXRATE-WHITE-LAST
TESTSFAILED 30 CONTAINSBONDEDSENDER-DYNA
TESTSFAILED 15 CONTAINSMPPT-SIZE-L
TESTSFAILED 15 CONTAINSBODY-STATE-WL
TESTSFAILED 10 CONTAINSDNSWL-ISP-LOW
TESTSFAILED 20 CONTAINSDNSWL-ISP-MEDIUM
TESTSFAILED 40 CONTAINSDNSWL-ISP-HIGH
TESTSFAILED 10 CONTAINSDNSWL-NEWSLETTERS-LOW
TESTSFAILED 20 CONTAINSDNSWL-NEWSLETTERS-MEDIUM
TESTSFAILED 40 CONTAINSDNSWL-NEWSLETTERS-HIGH
# Common spam items
TESTSFAILED 50 CONTAINSBODY-BLOGS
TESTSFAILED 50 CONTAINSBODY-FREEHOSTS
TESTSFAILED 50 CONTAINSBODY-URL-SHORTENER
TESTSFAILED 50 CONTAINSLANGUAGE-CYRILLIC
TESTSFAILED 50 CONTAINSLANGUAGE-EASTERNEUROPEAN
# Punish these tests more
TESTSFAILED 25 CONTAINSSNIFFER-SNAKEOIL
TESTSFAILED 25 CONTAINSSNIFFER-PORN
SUBJECT 25 CONTAINSerotic
SUBJECT 25 CONTAINSnaughty
SUBJECT 25 CONTAINSpretty
SUBJECT 25 CONTAINSwhore
SUBJECT 25 CONTAINSgirlfriend
SUBJECT 25 CONTAINSschoolgirl
SUBJECT 25 CONTAINSsexual
SUBJECT 25 CONTAINScuties
SUBJECT 25 CONTAINSvirgin
SUBJECT 25 CONTAINSbitch
SUBJECT 25 CONTAINSdrugstore
SUBJECT 50 CONTAINSM e d
SUBJECT 25 CONTAINSPian
SUBJECT 50 CONTAINSP I A N
SUBJECT 25 CONTAINSViagra
SUBJECT 25 CONTAINSYahoo! Groups: You're invited!
SUBJECT 25 IS hey
SUBJECT 25 CONTAINSporn
MAILFROM25 PCRE
(?i:[a-z]{5,[EMAIL PROTECTED])
MAILFROM25 PCRE
(?i:[a-z]{5,[EMAIL PROTECTED])
BODY25 CONTAINSGirlfriend
BODY25 CONTAINSSchoolgirl
BODY25 CONTAINSwhore
BODY25 CONTAINSPorn
BODY50 CONTAINS . c o m
BODY75 PCRE(www\.[a-z]{8,20}\.cn)
BODY100 PCRE(www\.[A-Za-z]+ dot com)
BODY100 PCRE(www\.[A-Za-z]+ dot com)
BODY50 CONTAINSdot com
BODY25 CONTAINSw
BODY25 CONTAINSw
BODY25 CONTAINSw
BODY25 CONTAINSw
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert
Grosshandler
Sent: Tuesday, April 08, 2008 11:27 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Need strategy to up score.
Hi
We're getting spam that comes via Yahoo, looks good (but it isn't). We'd
like to up the score it receives, so it won't get passed through. We use
Sniffer/Declude/Inviurbl.
We're almost always Bcc'd.
Sometimes fails Sniffer, sometimes not (we've got a query into them, too.)
Doesn't always fail zerohour.
Always seems to be complete gobbledygook, plus a URL that looks like it is
well formed (and doesn't fail inviurbl test.)
Always seem to come via mud.yahoo.com (but so does legit email.)
Headers follow, thanks for any advice.
Received: from n26.bullet.mail.mud.yahoo.com [68.142.206.221] by
smtp.igive.com
(SMTPD-9.23) id AD5302B4; Mon, 07 Apr 2008 19:33:23 -0500
Received: from [68.142.200.227] by n26.bullet.mail.mud.yahoo.com with NNFMP;
08 Apr 2008 00:33:22 -
Received: from [68.142.201.245] by t8.bullet.mud.yahoo.com with NNFMP; 08
Apr 2008 00:33:23 -
Received: from [127.0.0.1] by omp406.mail.mud.yahoo.com with NNFMP; 08 Apr
2008 00:33:23 -
X-Yahoo-Newman-Id: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Received: (qmail 56970 invoked from network); 8 Apr 2008 00:33:22 -
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.co.uk;
h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:From:To:Reply-To:Subject:Date
:MIME-Version:Content-type:Content-transfer-encoding;
b=56tfwh/ZgrQDDqdn753U/L6m1fWJcABbNVM/kWWVUnmtRb34zE7SUdPbuBl5pBR+vKu5gWQj0Y
4ZtqBDqA8eMMjB4wpIbGBcQLmMo2hvNECaSWG09steODkIiCbItU7nHLtbutkTV2FATYUQ/g6lib
rf/QtD3tsRFNT+zLMDRKw= ;
Received: from unknown (HELO w
RE: [Declude.JunkMail] Need strategy to up score.
Hi To be clear, local means "my" domain(s), not folks in some other domain, correct? Thanks ahead of time. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, April 08, 2008 12:34 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Need strategy to up score. "We're almost always Bcc'd " Consider using BCC This test will catch E-mail that has a lot of local recipients that are not listed in the E-mail headers. This test is normally only used in advanced setups, as most mailing list E-mail has many recipients not listed in the headers. BCC BCC 3 x 6 0 Where 3 is the number of BCC recipients and 6 is the weight given. David B -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Tuesday, April 08, 2008 12:27 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Need strategy to up score. Hi We're getting spam that comes via Yahoo, looks good (but it isn't). We'd like to up the score it receives, so it won't get passed through. We use Sniffer/Declude/Inviurbl. We're almost always Bcc'd. Sometimes fails Sniffer, sometimes not (we've got a query into them, too.) Doesn't always fail zerohour. Always seems to be complete gobbledygook, plus a URL that looks like it is well formed (and doesn't fail inviurbl test.) Always seem to come via mud.yahoo.com (but so does legit email.) Headers follow, thanks for any advice. Received: from n26.bullet.mail.mud.yahoo.com [68.142.206.221] by smtp.igive.com (SMTPD-9.23) id AD5302B4; Mon, 07 Apr 2008 19:33:23 -0500 Received: from [68.142.200.227] by n26.bullet.mail.mud.yahoo.com with NNFMP; 08 Apr 2008 00:33:22 - Received: from [68.142.201.245] by t8.bullet.mud.yahoo.com with NNFMP; 08 Apr 2008 00:33:23 - Received: from [127.0.0.1] by omp406.mail.mud.yahoo.com with NNFMP; 08 Apr 2008 00:33:23 - X-Yahoo-Newman-Id: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Received: (qmail 56970 invoked from network); 8 Apr 2008 00:33:22 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:From:To:Reply-To:Subject:Date :MIME-Version:Content-type:Content-transfer-encoding; b=56tfwh/ZgrQDDqdn753U/L6m1fWJcABbNVM/kWWVUnmtRb34zE7SUdPbuBl5pBR+vKu5gWQj0Y 4ZtqBDqA8eMMjB4wpIbGBcQLmMo2hvNECaSWG09steODkIiCbItU7nHLtbutkTV2FATYUQ/g6lib rf/QtD3tsRFNT+zLMDRKw= ; Received: from unknown (HELO www.microsoft.com) ([EMAIL PROTECTED] with login) by smtp123.plus.mail.sp1.yahoo.com with SMTP; 8 Apr 2008 00:33:21 - X-YMail-OSG: UiyvW00VM1mV4yv6F.yyGe9FOC19nRnWakaxr0hVWy6Fq3yeWcq0ZG5OVF1d_dJSaphQ.y8ESkN5 jdHbfvx7.sxsAQ-- X-Yahoo-Newman-Property: ymail-3 From: RileyJones10 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: [PS - 14]-hot r zy Woman food quality can. Date: Tue, 08 Apr 2008 02:50:28 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=windows-1251 Content-transfer-encoding: 8bit X-RBL-Warning: SPAMCANNIBAL: "blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=68.142.206.221"; X-RBL-Warning: MXRATE-ALLOW: "GOOD SENDER" X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]" X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]" X-Declude-Sender: [EMAIL PROTECTED] [68.142.206.221] X-Declude-Spoolname: Dbd5200e15530.smd X-Declude-RefID: str=0001.0A010205.47FABD5C.000E,ss=1,pt=47146,fgs=0 X-Declude-Scan: Incoming Score [14] at 19:33:38 on 07 Apr 2008 X-Declude-Fail: SPAMCANNIBAL [2], MXRATE-ALLOW [-5], NOABUSE [2], NOPOSTMASTER [1], WEIGHT9 [9], WEIGHTMID [10], ZEROHOUR [14] X-Country-Chain: UNITED STATES->destination X-RCPT-TO: <[EMAIL PROTECTED]> Status: ` X-UIDL: 462333283 X-IMail-ThreadID: bd5200e15530 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Need strategy to up score.
"We're almost always Bcc'd " Consider using BCC This test will catch E-mail that has a lot of local recipients that are not listed in the E-mail headers. This test is normally only used in advanced setups, as most mailing list E-mail has many recipients not listed in the headers. BCC BCC 3 x 6 0 Where 3 is the number of BCC recipients and 6 is the weight given. David B -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Tuesday, April 08, 2008 12:27 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Need strategy to up score. Hi We're getting spam that comes via Yahoo, looks good (but it isn't). We'd like to up the score it receives, so it won't get passed through. We use Sniffer/Declude/Inviurbl. We're almost always Bcc'd. Sometimes fails Sniffer, sometimes not (we've got a query into them, too.) Doesn't always fail zerohour. Always seems to be complete gobbledygook, plus a URL that looks like it is well formed (and doesn't fail inviurbl test.) Always seem to come via mud.yahoo.com (but so does legit email.) Headers follow, thanks for any advice. Received: from n26.bullet.mail.mud.yahoo.com [68.142.206.221] by smtp.igive.com (SMTPD-9.23) id AD5302B4; Mon, 07 Apr 2008 19:33:23 -0500 Received: from [68.142.200.227] by n26.bullet.mail.mud.yahoo.com with NNFMP; 08 Apr 2008 00:33:22 - Received: from [68.142.201.245] by t8.bullet.mud.yahoo.com with NNFMP; 08 Apr 2008 00:33:23 - Received: from [127.0.0.1] by omp406.mail.mud.yahoo.com with NNFMP; 08 Apr 2008 00:33:23 - X-Yahoo-Newman-Id: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Received: (qmail 56970 invoked from network); 8 Apr 2008 00:33:22 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:From:To:Reply-To:Subject:Date :MIME-Version:Content-type:Content-transfer-encoding; b=56tfwh/ZgrQDDqdn753U/L6m1fWJcABbNVM/kWWVUnmtRb34zE7SUdPbuBl5pBR+vKu5gWQj0Y 4ZtqBDqA8eMMjB4wpIbGBcQLmMo2hvNECaSWG09steODkIiCbItU7nHLtbutkTV2FATYUQ/g6lib rf/QtD3tsRFNT+zLMDRKw= ; Received: from unknown (HELO www.microsoft.com) ([EMAIL PROTECTED] with login) by smtp123.plus.mail.sp1.yahoo.com with SMTP; 8 Apr 2008 00:33:21 - X-YMail-OSG: UiyvW00VM1mV4yv6F.yyGe9FOC19nRnWakaxr0hVWy6Fq3yeWcq0ZG5OVF1d_dJSaphQ.y8ESkN5 jdHbfvx7.sxsAQ-- X-Yahoo-Newman-Property: ymail-3 From: RileyJones10 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: [PS - 14]-hot r zy Woman food quality can. Date: Tue, 08 Apr 2008 02:50:28 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=windows-1251 Content-transfer-encoding: 8bit X-RBL-Warning: SPAMCANNIBAL: "blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=68.142.206.221"; X-RBL-Warning: MXRATE-ALLOW: "GOOD SENDER" X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]" X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]" X-Declude-Sender: [EMAIL PROTECTED] [68.142.206.221] X-Declude-Spoolname: Dbd5200e15530.smd X-Declude-RefID: str=0001.0A010205.47FABD5C.000E,ss=1,pt=47146,fgs=0 X-Declude-Scan: Incoming Score [14] at 19:33:38 on 07 Apr 2008 X-Declude-Fail: SPAMCANNIBAL [2], MXRATE-ALLOW [-5], NOABUSE [2], NOPOSTMASTER [1], WEIGHT9 [9], WEIGHTMID [10], ZEROHOUR [14] X-Country-Chain: UNITED STATES->destination X-RCPT-TO: <[EMAIL PROTECTED]> Status: ` X-UIDL: 462333283 X-IMail-ThreadID: bd5200e15530 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Need strategy to up score.
Hi We're getting spam that comes via Yahoo, looks good (but it isn't). We'd like to up the score it receives, so it won't get passed through. We use Sniffer/Declude/Inviurbl. We're almost always Bcc'd. Sometimes fails Sniffer, sometimes not (we've got a query into them, too.) Doesn't always fail zerohour. Always seems to be complete gobbledygook, plus a URL that looks like it is well formed (and doesn't fail inviurbl test.) Always seem to come via mud.yahoo.com (but so does legit email.) Headers follow, thanks for any advice. Received: from n26.bullet.mail.mud.yahoo.com [68.142.206.221] by smtp.igive.com (SMTPD-9.23) id AD5302B4; Mon, 07 Apr 2008 19:33:23 -0500 Received: from [68.142.200.227] by n26.bullet.mail.mud.yahoo.com with NNFMP; 08 Apr 2008 00:33:22 - Received: from [68.142.201.245] by t8.bullet.mud.yahoo.com with NNFMP; 08 Apr 2008 00:33:23 - Received: from [127.0.0.1] by omp406.mail.mud.yahoo.com with NNFMP; 08 Apr 2008 00:33:23 - X-Yahoo-Newman-Id: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Received: (qmail 56970 invoked from network); 8 Apr 2008 00:33:22 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:From:To:Reply-To:Subject:Date :MIME-Version:Content-type:Content-transfer-encoding; b=56tfwh/ZgrQDDqdn753U/L6m1fWJcABbNVM/kWWVUnmtRb34zE7SUdPbuBl5pBR+vKu5gWQj0Y 4ZtqBDqA8eMMjB4wpIbGBcQLmMo2hvNECaSWG09steODkIiCbItU7nHLtbutkTV2FATYUQ/g6lib rf/QtD3tsRFNT+zLMDRKw= ; Received: from unknown (HELO www.microsoft.com) ([EMAIL PROTECTED] with login) by smtp123.plus.mail.sp1.yahoo.com with SMTP; 8 Apr 2008 00:33:21 - X-YMail-OSG: UiyvW00VM1mV4yv6F.yyGe9FOC19nRnWakaxr0hVWy6Fq3yeWcq0ZG5OVF1d_dJSaphQ.y8ESkN5 jdHbfvx7.sxsAQ-- X-Yahoo-Newman-Property: ymail-3 From: RileyJones10 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: [PS - 14]-hot r zy Woman food quality can. Date: Tue, 08 Apr 2008 02:50:28 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=windows-1251 Content-transfer-encoding: 8bit X-RBL-Warning: SPAMCANNIBAL: "blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=68.142.206.221"; X-RBL-Warning: MXRATE-ALLOW: "GOOD SENDER" X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]" X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]" X-Declude-Sender: [EMAIL PROTECTED] [68.142.206.221] X-Declude-Spoolname: Dbd5200e15530.smd X-Declude-RefID: str=0001.0A010205.47FABD5C.000E,ss=1,pt=47146,fgs=0 X-Declude-Scan: Incoming Score [14] at 19:33:38 on 07 Apr 2008 X-Declude-Fail: SPAMCANNIBAL [2], MXRATE-ALLOW [-5], NOABUSE [2], NOPOSTMASTER [1], WEIGHT9 [9], WEIGHTMID [10], ZEROHOUR [14] X-Country-Chain: UNITED STATES->destination X-RCPT-TO: <[EMAIL PROTECTED]> Status: ` X-UIDL: 462333283 X-IMail-ThreadID: bd5200e15530 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
