RE: [Declude.JunkMail] Strange Subject
I'm not familiar with this test? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, September 10, 2003 10:27 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Strange Subject Add the following tests and it get's even better :) SUBSPACE-10subjectspaces10x10 SUBSPACE-20subjectspaces20x20 SUBSPACE-30subjectspaces30x30 Matt Dan Patnode wrote: I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i .. jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p vyoaejswayqo Subject: [Fwd: =?GB2312?B?0OnE4r/VvOS089PFu92jrDE5OdSqv8nS1L2o0ru49s341b6jrA==?==?GB231 2?B?uM+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?= Dan On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote: How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS10CONTAINSISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does
Re: [Declude.JunkMail] Strange Subject
It's one of Declude's undocumented tests. I found a bunch of them in the release notes on his site (link at the bottom of the manual page) and then I searched the archives to find comments about them. I also found a few from just simply reading people's config files on this board. This test, a.k.a. SUBJECTSPACES, just simply counts the number of spaces in a subject line. Spammers often will do something like show a subject, then a bunch of spaces, and then some gibberish. It will also score on some very long subjects which are not common in real E-mail. The scoring is additive as higher levels are hit, and you can customize those levels. Matt Marc Catuogno wrote: I'm not familiar with this test? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Bramble Sent: Wednesday, September 10, 2003 10:27 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Strange Subject Add the following tests and it get's even better :) SUBSPACE-10subjectspaces10x10 SUBSPACE-20subjectspaces20x20 SUBSPACE-30subjectspaces30x30 Matt Dan Patnode wrote: I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i .. jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p vyoaejswayqo Subject: [Fwd: =?GB2312?B?0OnE4r/VvOS089PFu92jrDE5OdSqv8nS1L2o0ru49s341b6jrA==?==?GB231 2?B?uM+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?= Dan On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote: How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003
RE: [Declude.JunkMail] Strange Subject
SUBJECT 40 CONTAINS =?ISO-8859-1?b? I'm seeing quite a few of these coming in, but they are getting held. I'm including a sample from my log, which is set to HIGH so that others can see what tests have been useful for me. An interesting point that came out of my following this thread is that I found that when the ISO string appears anywhere in the subject EXCEPT for the beginning, it's a SURE indicator that the message is spam. A really long (and imperfect) way to test for that is to add: SUBJECT 999 CONTAINS a=?ISO-8859-1?b? SUBJECT 999 CONTAINS b=?ISO-8859-1?b? SUBJECT 999 CONTAINS c=?ISO-8859-1?b? 999 CONTAINS 3=?ISO-8859-1?b? Anyone have a more concise way to test for that? Andrew 8) 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on kr [weight-10; KR ]. 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on free bottle [weight-2; free bottle with your purchase]. 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on 3+ inches [weight-2; 3+ Inches!br100% Satísfactio]. 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on Lengthen And Enlarge [weight-4; Lengthen and Enlarge your Pení]. 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on VP-RX [weight-1; VP-RX Pillsbr/b/font 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on No embarrassing doctor or pharmacy visits [weight-3; No embarrassing doctor or phar]. 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on Remove me [weight-5; /Remove me/abr-=hqoGD]. 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on .biz/ [weight-1; .biz/mka/m2c.php?man=st4vpPr]. 09/11/2003 00:13:05 Q2074182b01428a33 DSBL:6 BASE64:10 SPAMCOP:10 REVDNS:4 IPNOTINMX:2 NOLEGITCONTENT:2 COUNTRY:10 SNIFFER:7 FIVETENSRC:5 EASYNET-DNSBL:7 EASYNET-PROXIES:5 SORBS-HTTP:7 SORBS-SOCKS:7 PSBL:5 CBL:5 BENTALLIPBL:7 BENTALLSPAMHINT:33 BENTALLSPAMURL:6 . Total weight = 138 09/11/2003 00:13:05 Q2074182b01428a33 Using [outgoing] CFG file global.cfg. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed DSBL (http://dsbl.org/listing?ip=211.109.109.68). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed BASE64 (A binary encoded text or HTML section was found in this E-mail.). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?211.109.109.68). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 211.109.109.68 with no reverse DNS entry.). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed WEIGHT20 (Weight of 163 reaches or exceeds the limit of 20.). Action=HOLD. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed IPNOTINMX (). Action=LOG. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed NOLEGITCONTENT (No content unique to legitimate E-mail detected.). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed COUNTRY (Message failed COUNTRY test (41)). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed FIVETENSRC (68.109.109.211.blackholes.five-ten-sg.com.). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed EASYNET-DNSBL (Blacklisted by easynet.nl DNSBL - http://blackholes.easynet.nl/errors.html). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed EASYNET-PROXIES (Open Proxy - http://proxies.blackholes.easynet.nl/errors.html). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed SORBS-HTTP (Open Server [socks/35762] See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=211.109.109.68). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed SORBS-SOCKS (Open Server [http/35763] See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=211.109.109.68). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed PSBL (Your mailserver spammed me, see http://psbl.surriel.com/cgi-bin/listing.cgi?ip=211.109.109.68). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed CBL (Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=211.109.109.68). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed BENTALLIPBL ( matched 211.104.0.0/13). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed BENTALLSPAMHINT (Message failed BENTALLSPAMHINT test (901)). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed BENTALLSPAMURL (Message failed BENTALLSPAMURL test (412)). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Subject: First Ti=?ISO-8859-1?B?bWU=?= 09/11/2003 00:13:05 Q2074182b01428a33 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 211.109.109.68 ID: h8B78ZwD003879 09/11/2003 00:13:05 Q2074182b01428a33 Last action = HOLD.
Re: [Declude.JunkMail] Strange Subject
Looking at my spamples I don't see any prefix letter: Subject: =?iso-8859-1?b?QnVzeSBhdCB3b3Jr?=? Subject: =?iso-8859-1?B?RGlzY3JlZXQgT24gTGluZSBQaGFybWFjeSwgVmlhZ3Jh?= Subject: =?ISO-8859-1?b?RndkOiBUaA==?=e 24th o=?ISO-8859-1?b?ZiB0aGk=?=s month Subject: =?iso-8859-1?b?SG93IGRvZXMgU2lsZGVuYWZpbCBDaXRyYXRlICB3b3JrPw==?= Subject: =?iso-8859-1?B?U2F2ZSBtb25leSE=?= Subject: =?iso-8859-1?B?U2FtcGxlIFZpYWdyYQ==?= Subject: =?ISO-8859-1?B?UmU6Rm9yIHRoZSBtZW4uIFZpYWdyYS4=?= Subject: =?iso-8859-1?B?UmU6VmlhZ3JhOk5vIENvbnN1bHRhdGlvbiBGZWU=?= Subject: =?iso-8859-1?B?UmU6WW91ciBGcmVlIFNhbXBsZSBPZiBWaWFncmE=?= Subject: =?iso-8859-1?b?UmVtZW1iZQ==?=r that girl=?iso-8859-1?b?Pw==?= Who are these guys putting the code in the middle? Course, I'm only looking at uncaught spam, perhaps these guys are getting nailed by other tests. Dan On Thursday, September 11, 2003 13:16, Colbeck, Andrew [EMAIL PROTECTED] wrote: SUBJECT 40 CONTAINS =?ISO-8859-1?b? I'm seeing quite a few of these coming in, but they are getting held. I'm including a sample from my log, which is set to HIGH so that others can see what tests have been useful for me. An interesting point that came out of my following this thread is that I found that when the ISO string appears anywhere in the subject EXCEPT for the beginning, it's a SURE indicator that the message is spam. A really long (and imperfect) way to test for that is to add: SUBJECT 999 CONTAINS a=?ISO-8859-1?b? SUBJECT 999 CONTAINS b=?ISO-8859-1?b? SUBJECT 999 CONTAINS c=?ISO-8859-1?b? 999 CONTAINS 3=?ISO-8859-1?b? Anyone have a more concise way to test for that? Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Strange Subject
Here you go. Out of the 85 messages received in less than 3 days with this ISO encoded subject, 11 had the encoding in the middle of the line (see attachment). I think they were all caught due to the weights of other tests. Andrew 8) -Original Message- From: Dan Patnode [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 3:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Strange Subject Looking at my spamples I don't see any prefix letter: Subject: =?iso-8859-1?b?QnVzeSBhdCB3b3Jr?=? Subject: =?iso-8859-1?B?RGlzY3JlZXQgT24gTGluZSBQaGFybWFjeSwgVmlhZ3Jh?= Subject: =?ISO-8859-1?b?RndkOiBUaA==?=e 24th o=?ISO-8859-1?b?ZiB0aGk=?=s month Subject: =?iso-8859-1?b?SG93IGRvZXMgU2lsZGVuYWZpbCBDaXRyYXRlICB3b3JrPw==?= Subject: =?iso-8859-1?B?U2F2ZSBtb25leSE=?= Subject: =?iso-8859-1?B?U2FtcGxlIFZpYWdyYQ==?= Subject: =?ISO-8859-1?B?UmU6Rm9yIHRoZSBtZW4uIFZpYWdyYS4=?= Subject: =?iso-8859-1?B?UmU6VmlhZ3JhOk5vIENvbnN1bHRhdGlvbiBGZWU=?= Subject: =?iso-8859-1?B?UmU6WW91ciBGcmVlIFNhbXBsZSBPZiBWaWFncmE=?= Subject: =?iso-8859-1?b?UmVtZW1iZQ==?=r that girl=?iso-8859-1?b?Pw==?= Who are these guys putting the code in the middle? Course, I'm only looking at uncaught spam, perhaps these guys are getting nailed by other tests. Dan On Thursday, September 11, 2003 13:16, Colbeck, Andrew [EMAIL PROTECTED] wrote: SUBJECT 40 CONTAINS =?ISO-8859-1?b? I'm seeing quite a few of these coming in, but they are getting held. I'm including a sample from my log, which is set to HIGH so that others can see what tests have been useful for me. An interesting point that came out of my following this thread is that I found that when the ISO string appears anywhere in the subject EXCEPT for the beginning, it's a SURE indicator that the message is spam. A really long (and imperfect) way to test for that is to add: SUBJECT 999 CONTAINS a=?ISO-8859-1?b? SUBJECT 999 CONTAINS b=?ISO-8859-1?b? SUBJECT 999 CONTAINS c=?ISO-8859-1?b? 999 CONTAINS 3=?ISO-8859-1?b? Anyone have a more concise way to test for that? Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on CA [weight-0; CA BR ]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on br [weight-10; BR ]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on @snip [weight--9; @snip; Mon, 8 Sep]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on [EMAIL PROTECTED] [weight-30; [EMAIL PROTECTED]; Mon,]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on 100% guaranteed [weight-3; 100% Guaranteed to Work!/em 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on Weight Loss Patch [weight-3; Weight Loss Patch 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on Norton [weight-1; Norton [EMAIL PROTECTED] 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on /bek/ [weight-30; /bek/Remove me/a 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on .biz/ [weight-1; .biz/mdp/m2c.php?man=andClic]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on getit4less.biz [weight-30; getit4less.biz/mdp/m2c.php?man]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on No More [weight-5; no morebrstarvation diets/]. 09/08/2003 00:04:54 Q2a100762009c03a5 DSBL:4 DSBLALL:3 MONKEYPROXIES:7 SPAMCOP:10 IPNOTINMX:2 COUNTRY:10 SNIFFER:7 NJABLDUL:5 EASYNET-DNSBL:7 EASYNET-DYNA:6 EASYNET-PROXIES:5 BR-BR:7 SORBS-HTTP:7 SORBS-SOCKS:7 PSBL:5 CBL:5 SPAMBAG:3 BENTALLSPAMHINT:28 BENTALLSPAMURL:61 BENTALLSPAMUNSUB:5 . Total weight = 194 09/08/2003 00:04:54 Q2a100762009c03a5 Using [outgoing] CFG file global.cfg. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed DSBL (http://dsbl.org/listing?ip=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed DSBLALL (http://dsbl.org/listing?ip=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed MONKEYPROXIES (BLOCKED: See http://www.monkeys.com/upl/listed-ip-0.cgi?ip=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed WEIGHT20 (Weight of 194 reaches or exceeds the limit of 20.). Action=HOLD. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed IPNOTINMX (). Action=LOG. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed COUNTRY (Message failed COUNTRY test (34)). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed NJABLDUL (This E-mail came from 200.168.125.76
Re: [Declude.JunkMail] Strange Subject
I've been capturing this stuff and I have found the code in the middle of native language text, but only occasionally. Some examples: Subject: You never IM =?ISO-8859-1?B?bWUgYW55?=more Subject: This is=?ISO-8859-1?b?IHRoZSA1dGgg?=email=?ISO-8859-1?b?IEkgc2Vu?=t you Subject: =?ISO-8859-1?b?SG93IGRvIA==?=you use =?ISO-8859-1?b?aXQ/?= I haven't seen a false positive yet. Has someone seen ISO 8859-1 (Latin-1) being used for any other purpose? This is the standard English and Western European character set. Is it possible that say a foreign E-mail client build would tag Latin-1? If not, is there a reason to be concerned about false positives??? Matt Dan Patnode wrote: Looking at my "spamples" I don't see any prefix letter: Subject: =?iso-8859-1?b?QnVzeSBhdCB3b3Jr?=? Subject: =?iso-8859-1?B?RGlzY3JlZXQgT24gTGluZSBQaGFybWFjeSwgVmlhZ3Jh?= Subject: =?ISO-8859-1?b?RndkOiBUaA==?=e 24th o=?ISO-8859-1?b?ZiB0aGk=?=s month Subject: =?iso-8859-1?b?SG93IGRvZXMgU2lsZGVuYWZpbCBDaXRyYXRlICB3b3JrPw==?= Subject: =?iso-8859-1?B?U2F2ZSBtb25leSE=?= Subject: =?iso-8859-1?B?U2FtcGxlIFZpYWdyYQ==?= Subject: =?ISO-8859-1?B?UmU6Rm9yIHRoZSBtZW4uIFZpYWdyYS4=?= Subject: =?iso-8859-1?B?UmU6VmlhZ3JhOk5vIENvbnN1bHRhdGlvbiBGZWU=?= Subject: =?iso-8859-1?B?UmU6WW91ciBGcmVlIFNhbXBsZSBPZiBWaWFncmE=?= Subject: =?iso-8859-1?b?UmVtZW1iZQ==?=r that girl=?iso-8859-1?b?Pw==?= Who are these guys putting the code in the middle? Course, I'm only looking at uncaught spam, perhaps these guys are getting nailed by other tests. Dan On Thursday, September 11, 2003 13:16, Colbeck, Andrew [EMAIL PROTECTED] wrote: SUBJECT 40 CONTAINS =?ISO-8859-1?b? I'm seeing quite a few of these coming in, but they are getting held. I'm including a sample from my log, which is set to HIGH so that others can see what tests have been useful for me. An interesting point that came out of my following this thread is that I found that when the ISO string appears anywhere in the subject EXCEPT for the beginning, it's a SURE indicator that the message is spam. A really long (and imperfect) way to test for that is to add: SUBJECT 999 CONTAINS a=?ISO-8859-1?b? SUBJECT 999 CONTAINS b=?ISO-8859-1?b? SUBJECT 999 CONTAINS c=?ISO-8859-1?b? 999 CONTAINS 3=?ISO-8859-1?b? Anyone have a more concise way to test for that? Andrew 8)
Re: SPAM: Re: [Declude.JunkMail] Strange Subject
Not bad. Makes me wonder if the future test grouping feature would be even stronger with exclusive as well as inclusive grouping. Must have (1) and (2) but not (3). That would rock! :) Dan On Thursday, September 11, 2003 15:05, Matthew Bramble [EMAIL PROTECTED] wrote: Dan, There's a decent way around that. You can set the test in the Config file for a solid weight, not score each filter test incrementally, and then provide a list of negative tests that would offset the test. So if there is some sort of ISO tagging of this Japanese stuff, you can find that code and defeat the test from running. Same goes for other languages. I just got my first false positive out of 200 catches. This was from Korea but written in English (still encoded though). There are two clues in the headers as to how to defeat the test: Subject: [22] =?euc-kr?B?R2VuZXJhbCBJbnF1aXJ5IGZvciBzbm93bW9iaWxl?= Content-Type: text/html; charset=euc-kr You could probably do something like the following (suggested replacement for the original filter if you are using it): GIBBERISHSUBfilter C:\IMail\Declude\Filters\GibberishSub.txtx50 # The following defeats the test if it finds the subject is not sent as ASCII SUBJECT-5CONTAINS?b? # Small list of letter combinations not found in a basic dictionary. SUBJECT0CONTAINSqb SUBJECT0CONTAINSqc SUBJECT0CONTAINSqd SUBJECT0CONTAINSqe SUBJECT0CONTAINSqf SUBJECT0CONTAINSqg SUBJECT0CONTAINSqh SUBJECT0CONTAINSqi SUBJECT0CONTAINSqj SUBJECT0CONTAINSqk SUBJECT0CONTAINSqm SUBJECT0CONTAINSqn SUBJECT0CONTAINSqo SUBJECT0CONTAINSqp SUBJECT0CONTAINSqr SUBJECT0CONTAINSqs SUBJECT0CONTAINSqt SUBJECT0CONTAINSqv SUBJECT0CONTAINSqx SUBJECT0CONTAINSqy SUBJECT0CONTAINSqz SUBJECT0CONTAINSvq SUBJECT0CONTAINSwq SUBJECT0CONTAINStq SUBJECT0CONTAINSjq SUBJECT0CONTAINSxd SUBJECT0CONTAINSxj SUBJECT0CONTAINSxk SUBJECT0CONTAINSxr SUBJECT0CONTAINSxz SUBJECT0CONTAINSzb SUBJECT0CONTAINSzc SUBJECT0CONTAINSzf SUBJECT0CONTAINSzj SUBJECT0CONTAINSzk SUBJECT0CONTAINSzl SUBJECT0CONTAINSzm SUBJECT0CONTAINSzx Matt Dan Patnode wrote: Follow-up, Used in a high weight soft test, 3 of Q subject tests FPd this morning. It seems that Japanese encoded messages like lots of mixed up letters. More testing... Dan On Wednesday, September 10, 2003 19:20, Dan Patnode [EMAIL PROTECTED] wrote: I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i ..jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p vyoaejswayqo Subject: [Fwd: =?GB2312?B?0OnE4r/VvOS089PFu92jrDE5OdSqv8nS1L2o0ru49s341b6jrA==?==?GB2312?B?uM+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?= Dan On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote: How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse
Re: SPAM: Re: [Declude.JunkMail] Strange Subject
Either test grouping, or some way to limit the score of a filter that increments, or someway to negate the whole filter with a test inside of the filter. Something like: SUBJECTEXEMPTCONTAINS?b? That would keep your negation techniques from having an effect outside of the test. In the fix I wrote below, there will be an unintentional effect of subtracting 5 points from any E-mail with an encoded subject, and that would be an issue if you get spam with encoded subjects besides Latin-1 encoding since you are blocking that. I'm thinking that negation test functionality would work nicely within the framework of Declude's filters, providing a way to escape the test. This could also potentially save processing on large filters if you listed them at the top of the file. Suggestion database candidate??? Matt Dan Patnode wrote: Not bad. Makes me wonder if the future test grouping feature would be even stronger with exclusive as well as inclusive grouping. Must have (1) and (2) but not (3). That would rock! :) Dan On Thursday, September 11, 2003 15:05, Matthew Bramble [EMAIL PROTECTED] wrote: Dan, There's a decent way around that. You can set the test in the Config file for a solid weight, not score each filter test incrementally, and then provide a list of negative tests that would offset the test. So if there is some sort of ISO tagging of this Japanese stuff, you can find that code and defeat the test from running. Same goes for other languages. I just got my first false positive out of 200 catches. This was from Korea but written in English (still encoded though). There are two clues in the headers as to how to defeat the test: Subject: [22] =?euc-kr?B?R2VuZXJhbCBJbnF1aXJ5IGZvciBzbm93bW9iaWxl?= Content-Type: text/html; charset=euc-kr You could probably do something like the following (suggested replacement for the original filter if you are using it): GIBBERISHSUBfilter C:\IMail\Declude\Filters\GibberishSub.txtx50 # The following defeats the test if it finds the subject is not sent as ASCII SUBJECT-5CONTAINS?b? # Small list of letter combinations not found in a basic dictionary. SUBJECT0CONTAINSqb SUBJECT0CONTAINSqc SUBJECT0CONTAINSqd SUBJECT0CONTAINSqe SUBJECT0CONTAINSqf SUBJECT0CONTAINSqg SUBJECT0CONTAINSqh SUBJECT0CONTAINSqi SUBJECT0CONTAINSqj SUBJECT0CONTAINSqk SUBJECT0CONTAINSqm SUBJECT0CONTAINSqn SUBJECT0CONTAINSqo SUBJECT0CONTAINSqp SUBJECT0CONTAINSqr SUBJECT0CONTAINSqs SUBJECT0CONTAINSqt SUBJECT0CONTAINSqv SUBJECT0CONTAINSqx SUBJECT0CONTAINSqy SUBJECT0CONTAINSqz SUBJECT0CONTAINSvq SUBJECT0CONTAINSwq SUBJECT0CONTAINStq SUBJECT0CONTAINSjq SUBJECT0CONTAINSxd SUBJECT0CONTAINSxj SUBJECT0CONTAINSxk SUBJECT0CONTAINSxr SUBJECT0CONTAINSxz SUBJECT0CONTAINSzb SUBJECT0CONTAINSzc SUBJECT0CONTAINSzf SUBJECT0CONTAINSzj SUBJECT0CONTAINSzk SUBJECT0CONTAINSzl SUBJECT0CONTAINSzm SUBJECT0CONTAINSzx Matt Dan Patnode wrote: Follow-up, Used in a high weight soft test, 3 of Q subject tests FPd this morning. It seems that Japanese encoded messages like lots of mixed up letters. More testing... Dan On Wednesday, September 10, 2003 19:20, Dan Patnode [EMAIL PROTECTED] wrote: I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i ..jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p
Re: [Declude.JunkMail] Strange Subject
FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: Shirley Dalton [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 314612976 htmlbody center!--lfoln42j66--a href=http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni;img src=http://discountrate2-dot-com/pics/gv1.gif; height=270 width=405/a/center /html/body --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
Scott, It pains me to suggest making your todo list longer but how about adding test grouping? It would be to much to make multiple weight scales, but how about something simpler. Say you wanted to make 3 groups of 3 each. Label one of the option columns in such a way that they can be grouped: Group1 G1 x x 0 0 Group2 G2 x x 0 0 Group3 G3 x x 0 0 BADHEADERS badheaders G1 x 0 0 BASE64 base64 G1 x 0 0 HELOBOGUS helovalid G1 x 0 0 MAILFROMenvfrom G2 x 0 0 IPNOTINMX ipnotinmG2 x 0 0 PERCENT percent G2 x 0 0 REVDNS revdnsexistsG3 x 0 0 ROUTING spamrouting G3 x 0 0 SPAMHEADERS spamheaders G3 x 0 0 Sub tests could be duplicated to run solo and in a group or not to run only in a group. Groups could be hit only in action files ($default) or have weights (being tests of their own). We could then build profiles, adding all the different behaviors paricular spams share, regardless of which tests define those behaviors. I would love, for example, to combine an IPFILE listing US broadband IPs with NONENGLISH. Dan On Wednesday, September 10, 2003 16:57, Dan Patnode [EMAIL PROTECTED] wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: Shirley Dalton [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 314612976 htmlbody center!--lfoln42j66--a href=http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni;img src=http://discountrate2-dot-com/pics/gv1.gif; height=270 width=405/a/center /html/body --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This
Re: [Declude.JunkMail] Strange Subject
How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: "Shirley Dalton" [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 314612976 htmlbody center!--lfoln42j66--a href="" class="moz-txt-link-rfc2396E"
Re: Re: [Declude.JunkMail] Strange Subject
This is a multi-part message in MIME format. How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the What is your test setup for the above string, please? Thanks, Doug How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: "Shirley Dalton" [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1]
Re: [Declude.JunkMail] Strange Subject
It pains me to suggest making your todo list longer but how about adding test grouping? Don't feel bad -- it was already in the todo list. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
Doug McKee wrote: What is your test setup for the above string, please? SUBJECT 15 CONTAINS =?ISO-8859-1?b? >From what I can tell, there's no valid reason to encode Latin-1 in the subject since that character set is supported by default in E-mail, so it's quite safe to fail on just that. Matt
Re: [Declude.JunkMail] Strange Subject
I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i ..jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p vyoaejswayqo Subject: [Fwd: =?GB2312?B?0OnE4r/VvOS089PFu92jrDE5OdSqv8nS1L2o0ru49s341b6jrA==?==?GB2312?B?uM+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?= Dan On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote: How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body,
Re: [Declude.JunkMail] Strange Subject
Add the following tests and it get's even better :) SUBSPACE-10subjectspaces10x10 SUBSPACE-20subjectspaces20x20 SUBSPACE-30subjectspaces30x30 Matt Dan Patnode wrote: I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i ..jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p vyoaejswayqo Subject: [Fwd: =?GB2312?B?0OnE4r/VvOS089PFu92jrDE5OdSqv8nS1L2o0ru49s341b6jrA==?==?GB2312?B?uM+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?= Dan On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote: How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS10CONTAINSISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days
Re: [Declude.JunkMail] Strange Subject
Matthew Bramble wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I sent one to myself before I posted, just to make sure it worked. I tried again just now and got the same result. I have that example line as the first one in the text filter file. Here are the contents of the .SMD file and the entries from the JM log: Received: from bookeseminars.com [10.172.17.47] by bookeseminars.com with ESMTP (SMTPD32-8.02) id A542E80120; Tue, 09 Sep 2003 09:27:30 -0400 Message-ID: [EMAIL PROTECTED] Date: Tue, 09 Sep 2003 09:27:32 -0400 From: Mike Leonard [EMAIL PROTECTED] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?= Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-RBL-Warning: MYTXTFILTER: Message failed MYTXTFILTER test (1) X-Declude-Sender: [EMAIL PROTECTED] [10.172.17.47] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: MYTXTFILTER, WEIGHT10, WEIGHT20, WEIGHT35, WEIGHT40 [45] X-Booke-Queue-Header: Dd54200e80120abea.SMD X-Note: Total spam weight of this E-mail is 45. 09/09/2003 09:27:31 Qd54200e80120abea MYTXTFILTER:45 . Total weight = 45 09/09/2003 09:27:31 Qd54200e80120abea Msg failed MYTXTFILTER (Message failed MYTXTFILTER test (1)). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT10 (Weight of 45 reaches or exceeds the limit of 10.). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT20 (Weight of 45 reaches or exceeds the limit of 20.). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT35 (Weight of 45 reaches or exceeds the limit of 35.). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT40 (Weight of 45 reaches or exceeds the limit of 40.). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea R1 Message OK 09/09/2003 09:27:31 Qd54200e80120abea Msg failed MYTXTFILTER (Message failed MYTXTFILTER test (1)). Action=WARN. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT10 (Weight of 45 reaches or exceeds the limit of 10.). Action=HOLD. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT20 (Weight of 45 reaches or exceeds the limit of 20.). Action=HOLD. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT35 (Weight of 45 reaches or exceeds the limit of 35.). Action=HOLD. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT40 (Weight of 45 reaches or exceeds the limit of 40.). Action=HOLD. 09/09/2003 09:27:31 Qd54200e80120abea Subject: =?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?= 09/09/2003 09:27:31 Qd54200e80120abea From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 10.172.17.47 ID: Do you have something like this: MYTXTFILTER filter D:\Imail\Declude\txtfilters.txt x 5 0 in your global.cfg file and something like: MYTXTFILTER WARN in your $default$.junkmail file? Mike I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS10CONTAINSISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: Shirley Dalton [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL
Re: [Declude.JunkMail] Strange Subject
Add www.spamchk.com Base64 encoded subject lines will be decoded before the keyword-check. Markus It's on my list of things to do. That would be the best of both worlds since this stuff always seems keyword rich. Right now I'm writing custom filters, and loving the results... Thanks, Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
Mike, I'm using v1.75i4 right now, is it possible that you are using a version older than 1.75? I tested my setup about 10 times before I gave up on the SUBJECT filter and moved to using HEADERS? BTW, regardless of how you do it or how it works, this is a great filter. It's not that common, but guaranteed to be spam (IMO) and 1/10th of the hits are things that would have otherwise gotten through on my machine. Matt Mike Leonard wrote: Matthew Bramble wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I sent one to myself before I posted, just to make sure it worked. I tried again just now and got the same result. I have that example line as the first one in the text filter file. Here are the contents of the .SMD file and the entries from the JM log: Received: from bookeseminars.com [10.172.17.47] by bookeseminars.com with ESMTP (SMTPD32-8.02) id A542E80120; Tue, 09 Sep 2003 09:27:30 -0400 Message-ID: [EMAIL PROTECTED] Date: Tue, 09 Sep 2003 09:27:32 -0400 From: Mike Leonard [EMAIL PROTECTED] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?= Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-RBL-Warning: MYTXTFILTER: Message failed MYTXTFILTER test (1) X-Declude-Sender: [EMAIL PROTECTED] [10.172.17.47] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: MYTXTFILTER, WEIGHT10, WEIGHT20, WEIGHT35, WEIGHT40 [45] X-Booke-Queue-Header: Dd54200e80120abea.SMD X-Note: Total spam weight of this E-mail is 45. 09/09/2003 09:27:31 Qd54200e80120abea MYTXTFILTER:45 . Total weight = 45 09/09/2003 09:27:31 Qd54200e80120abea Msg failed MYTXTFILTER (Message failed MYTXTFILTER test (1)). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT10 (Weight of 45 reaches or exceeds the limit of 10.). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT20 (Weight of 45 reaches or exceeds the limit of 20.). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT35 (Weight of 45 reaches or exceeds the limit of 35.). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT40 (Weight of 45 reaches or exceeds the limit of 40.). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea R1 Message OK 09/09/2003 09:27:31 Qd54200e80120abea Msg failed MYTXTFILTER (Message failed MYTXTFILTER test (1)). Action=WARN. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT10 (Weight of 45 reaches or exceeds the limit of 10.). Action=HOLD. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT20 (Weight of 45 reaches or exceeds the limit of 20.). Action=HOLD. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT35 (Weight of 45 reaches or exceeds the limit of 35.). Action=HOLD. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT40 (Weight of 45 reaches or exceeds the limit of 40.). Action=HOLD. 09/09/2003 09:27:31 Qd54200e80120abea Subject: =?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?= 09/09/2003 09:27:31 Qd54200e80120abea From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 10.172.17.47 ID: Do you have something like this: MYTXTFILTERfilterD:\Imail\Declude\txtfilters.txt x50 in your global.cfg file and something like: MYTXTFILTERWARN in your $default$.junkmail file? Mike I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS10CONTAINSISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from
Re: [Declude.JunkMail] Strange Subject
Matthew Bramble wrote: Mike, I'm using v1.75i4 right now, is it possible that you are using a version older than 1.75? We're using 1.75. I don't know what the sub-version is. I downloaded it on 7/22. Maybe Scott could offer an explanation or hint as to why ours works and yours doesn't. I tested my setup about 10 times before I gave up on the SUBJECT filter and moved to using HEADERS? BTW, regardless of how you do it or how it works, this is a great filter. It's not that common, but guaranteed to be spam (IMO) and 1/10th of the hits are things that would have otherwise gotten through on my machine. We got about 10 of these for V-pill over the weekend, that's why I set it up. I haven't seen any legitimate email get caught by this filter, but we don't normally get email from any non-English speaking countries (unless it's spam). Mike Matt Mike Leonard wrote: Matthew Bramble wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I sent one to myself before I posted, just to make sure it worked. I tried again just now and got the same result. I have that example line as the first one in the text filter file. Here are the contents of the .SMD file and the entries from the JM log: Received: from bookeseminars.com [10.172.17.47] by bookeseminars.com with ESMTP (SMTPD32-8.02) id A542E80120; Tue, 09 Sep 2003 09:27:30 -0400 Message-ID: [EMAIL PROTECTED] Date: Tue, 09 Sep 2003 09:27:32 -0400 From: Mike Leonard [EMAIL PROTECTED] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?= Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-RBL-Warning: MYTXTFILTER: Message failed MYTXTFILTER test (1) X-Declude-Sender: [EMAIL PROTECTED] [10.172.17.47] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: MYTXTFILTER, WEIGHT10, WEIGHT20, WEIGHT35, WEIGHT40 [45] X-Booke-Queue-Header: Dd54200e80120abea.SMD X-Note: Total spam weight of this E-mail is 45. 09/09/2003 09:27:31 Qd54200e80120abea MYTXTFILTER:45 . Total weight = 45 09/09/2003 09:27:31 Qd54200e80120abea Msg failed MYTXTFILTER (Message failed MYTXTFILTER test (1)). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT10 (Weight of 45 reaches or exceeds the limit of 10.). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT20 (Weight of 45 reaches or exceeds the limit of 20.). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT35 (Weight of 45 reaches or exceeds the limit of 35.). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT40 (Weight of 45 reaches or exceeds the limit of 40.). Action=IGNORE. 09/09/2003 09:27:31 Qd54200e80120abea R1 Message OK 09/09/2003 09:27:31 Qd54200e80120abea Msg failed MYTXTFILTER (Message failed MYTXTFILTER test (1)). Action=WARN. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT10 (Weight of 45 reaches or exceeds the limit of 10.). Action=HOLD. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT20 (Weight of 45 reaches or exceeds the limit of 20.). Action=HOLD. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT35 (Weight of 45 reaches or exceeds the limit of 35.). Action=HOLD. 09/09/2003 09:27:31 Qd54200e80120abea Msg failed WEIGHT40 (Weight of 45 reaches or exceeds the limit of 40.). Action=HOLD. 09/09/2003 09:27:31 Qd54200e80120abea Subject: =?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?= 09/09/2003 09:27:31 Qd54200e80120abea From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 10.172.17.47 ID: Do you have something like this: MYTXTFILTERfilterD:\Imail\Declude\txtfilters.txt x50 in your global.cfg file and something like: MYTXTFILTERWARN in your $default$.junkmail file? Mike I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS10CONTAINSISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the
Re: [Declude.JunkMail] Strange Subject
I'm using v1.75i4 right now, is it possible that you are using a version older than 1.75? We're using 1.75. I don't know what the sub-version is. I downloaded it on 7/22. Maybe Scott could offer an explanation or hint as to why ours works and yours doesn't. My guess is some extra spaces/tabs at the end of the line (such as SUBJECT 40 CONTAINS =?ISO-8859-1?b?instead of SUBJECT 40 CONTAINS =?ISO-8859-1?b?). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Strange Subject
How does a subject that shows this. =?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?= Display this. Re:Cheapest Viagra Guaranteed --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
How does a subject that shows this. =?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?= Display this. Re:Cheapest Viagra Guaranteed That's because the subject is encoded. To help support non-English languages, there was an RFC that allowed subjects and message bodies to be encoded. In this case, it uses the standard English character set, but uses encoding. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Strange Subject
How does a subject that shows this. =?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?= The ?b? indicates that this subject line is Base64 encoded. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
Any suggestion on how to block these. Thanks. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 08, 2003 4:55 PM Subject: RE: [Declude.JunkMail] Strange Subject How does a subject that shows this. =?ISO-8859-1?b?UmU6Q2hlYXBlc3QgVmlhZ3JhIEd1YXJhbnRlZWQ=?= The ?b? indicates that this subject line is Base64 encoded. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Strange Subject
SUBJECT 40 CONTAINS =?ISO-8859-1?b? Assuming you don't ever get emails from European countries, Canada or other locations that use accented characters. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Strange Subject
I believe the Outlook XP and 2003 mail config test uses the subject encoding as well on the test message. Had acustomer with bad pop settings leave several test on webmail and they looked like that. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, September 08, 2003 4:36 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Strange Subject SUBJECT 40 CONTAINS =?ISO-8859-1?b? Assuming you don't ever get emails from European countries, Canada or other locations that use accented characters. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: "Shirley Dalton" [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 314612976 htmlbody center!--lfoln42j66--a href="" class="moz-txt-link-rfc2396E" href="http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni">"http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni"img src="" class="moz-txt-link-rfc2396E" href="http://discountrate2-dot-com/pics/gv1.gif">"http://discountrate2-dot-com/pics/gv1.gif" height="270" width="405"/a/center /html/body
