[Declude.JunkMail] spam getting through
Until recently I have very little spam getting through But lately spam like the following pattern get through: juonte arm mldlgdb zegvq http://fixkweragc.hpage.com b qifdgll. xz, qrxwuf wtx n. Is there any way these can be trapped? Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
FWD: Re: Re[2]: [Declude.JunkMail] Spam getting through
-- Original Message -- From: Sheldon Koehler [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 28 Oct 2004 12:12:11 -0700 It is obvious they are using disposable domain names. They come in flavors like gbzqrx.info and so on. --- Interesting point. At first, I could not understand how spammers could afford disposable domain names. Then, I came to the conclusion that they are also bona fide domain name registrars...it costs them nothing to register thousands of disposable domain names. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re: Re[2]: [Declude.JunkMail] Spam getting through
Perhaps some...but a few $10 domain names for a spam job that they charge several hundred dollars for still yields a high profit margin. A few months ago, against my advice, a customer of mine engaged a firm over in Clearwater, FL to send out 2 million emails for him to one of their optin lists. Once I convinced them to send me a test, I verified that they were one of the larger Florida spammers. My customer paid them $600 for their services which also included slight reformatting of his pre-made email ad and redirection of links in the email through their systems to his website. I'm sure that setup cost them less than an hour's work, at most two once you consider the sales time. With overhead (including all operating expenses, equipment, software, etc.) I doubt that costs them any more than $100/hrwhich means they're making at least $400 pure profit from the deal. So a few $10 domain names don't put much of a dent in their profits. Darin. - Original Message - From: Kim Premuda [EMAIL PROTECTED] To: Declude JunkMail Forum [EMAIL PROTECTED] Sent: Saturday, October 30, 2004 1:34 AM Subject: FWD: Re: Re[2]: [Declude.JunkMail] Spam getting through -- Original Message -- From: Sheldon Koehler [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 28 Oct 2004 12:12:11 -0700 It is obvious they are using disposable domain names. They come in flavors like gbzqrx.info and so on. --- Interesting point. At first, I could not understand how spammers could afford disposable domain names. Then, I came to the conclusion that they are also bona fide domain name registrars...it costs them nothing to register thousands of disposable domain names. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spam getting through
Lately we have been seeing a lot of spam getting through passing ALL tests. We are starting to get complaints from customers on this and I wonder if we are alone in this problem or not. These are all coming in with a weight of 0, no whitelisting or any simple tests are failing (i.e. rDNS). Sheldon --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam getting through
We have been experiencing the same thing. The spammers seem to be getting better at passing filters and probably changing IPs and domains as fast as they can be listed in the spam databases. We have some really hard core coming to a few users and passing all tests including Sniffer. Woody Fussell Wilbur Smith Associates [EMAIL PROTECTED] 803-758-4522 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Thursday, October 28, 2004 12:45 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spam getting through Lately we have been seeing a lot of spam getting through passing ALL tests. We are starting to get complaints from customers on this and I wonder if we are alone in this problem or not. These are all coming in with a weight of 0, no whitelisting or any simple tests are failing (i.e. rDNS). Sheldon --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam getting through
Time to review the logs and see what is going on. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Thursday, October 28, 2004 9:45 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spam getting through Lately we have been seeing a lot of spam getting through passing ALL tests. We are starting to get complaints from customers on this and I wonder if we are alone in this problem or not. These are all coming in with a weight of 0, no whitelisting or any simple tests are failing (i.e. rDNS). Sheldon --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam getting through
We have been experiencing the same thing. The spammers seem to be getting better at passing filters and probably changing IPs and domains as fast as they can be listed in the spam databases. We have some really hard core coming to a few users and passing all tests including Sniffer. Most of it is porno and they are not failing mailpolice-porn on top of sniffer-porn. John, the logs are fine, they just do not seem to fail ANY tests. They look like a normal email. Sheldon --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam getting through
have you looked at the headers and body source to determine why they are getting through and what you need to add to your filters to stop them? There is usually some type of common finger print you can filter on. If it is not failing those other tests its likely they havent seen the messages, its up to you to keep adjusting your filters. Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Sheldon Koehler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 1:29 PM Subject: Re: [Declude.JunkMail] Spam getting through We have been experiencing the same thing. The spammers seem to be getting better at passing filters and probably changing IPs and domains as fast as they can be listed in the spam databases. We have some really hard core coming to a few users and passing all tests including Sniffer. Most of it is porno and they are not failing mailpolice-porn on top of sniffer-porn. John, the logs are fine, they just do not seem to fail ANY tests. They look like a normal email. Sheldon --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam getting through
No, I haven't seen this. But I have meant to ask if others on the list are seeing that their spam volumes are up in the last week. I have, by a 10% increase. What I'm seeing is not more spam getting to mailboxes, just more spam volume. Viral activity has been constant. Andrew 8) -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 9:45 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spam getting through Lately we have been seeing a lot of spam getting through passing ALL tests. We are starting to get complaints from customers on this and I wonder if we are alone in this problem or not. These are all coming in with a weight of 0, no whitelisting or any simple tests are failing (i.e. rDNS). Sheldon --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam getting through
I have seen an increase in volume the past week but have had very little make it to the users Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 1:49 PM Subject: RE: [Declude.JunkMail] Spam getting through No, I haven't seen this. But I have meant to ask if others on the list are seeing that their spam volumes are up in the last week. I have, by a 10% increase. What I'm seeing is not more spam getting to mailboxes, just more spam volume. Viral activity has been constant. Andrew 8) -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 9:45 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spam getting through Lately we have been seeing a lot of spam getting through passing ALL tests. We are starting to get complaints from customers on this and I wonder if we are alone in this problem or not. These are all coming in with a weight of 0, no whitelisting or any simple tests are failing (i.e. rDNS). Sheldon --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam getting through
I'm not seeing anything out of the ordinary this week. One thing of note however. When the dictionary attacks started coming in force to my domains, I saw a huge shift from static spam to zombie spam. It turns out that much of this was just simply garbage going to bad addresses. One spammer accounts for over 25% of my mail volume, all from dictionary attacks (I have about 10 domains involved with these on and off). I've also noted that there are some spammers that are repeatedly slamming their harvested lists from some of my larger domains. A 10% increase could just simply be one such spammer. There are two very high volume zombie spammers that have been attacking legit addresses on our server for at least a month now. I wouldn't be surprised to see another 5% to 10% of our volume between the two of them. Static spammers have been more problematic for us than in the past. Primarily because these guys are using new IP space and going full force from the start. Something else that I noticed was some of the very high volume zombie spam not getting tagged by Sniffer or SURBL for over 24 hours at times, which leads me to believe that they are getting smarter and using specific payload domains across a select group of recipient domains in order to avoid detection. One spammer managed to do this repeatedly, so I'm pretty sure about that. Seems like SURBL has caused spammers to start to enhance their techniques yet again. Matt Colbeck, Andrew wrote: No, I haven't seen this. But I have meant to ask if others on the list are seeing that their spam volumes are up in the last week. I have, by a 10% increase. What I'm seeing is not more spam getting to mailboxes, just more spam volume. Viral activity has been constant. Andrew 8) -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 9:45 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spam getting through Lately we have been seeing a lot of spam getting through passing ALL tests. We are starting to get complaints from customers on this and I wonder if we are alone in this problem or not. These are all coming in with a weight of 0, no whitelisting or any simple tests are failing (i.e. rDNS). Sheldon --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Spam getting through
On Thursday, October 28, 2004, 1:29:55 PM, Sheldon wrote: SK We have been experiencing the same thing. The spammers seem to be getting SK better at passing filters and probably changing IPs and domains as fast as SK they can be listed in the spam databases. We have some really hard core SK coming to a few users and passing all tests including Sniffer. SK Most of it is porno and they are not failing mailpolice-porn on top of SK sniffer-porn. SK John, the logs are fine, they just do not seem to fail ANY tests. They look SK like a normal email. This is a good argument for the delayed-scan-and-deliver feature I suggested previously. The porn guys you are probably talking about we call the mad-lib pornsters. Every day or so they will come out with a brand new set of domains delivering a wide array of porn traffic. Actually, our robots usually manage to pick up quite a bit of it, but they have huge bandwidth behind them so they get quite a bit of content out before the updated rules can go in place. If email from a previously unknown source (from address IP) were simply delayed for some configurable number of hours before consideration then these mechanisms would be rendered inoperative for the spammers. Users tend not to have an immediate expectation of response on first contact - so the delay imposed will generally not matter for legitimate messages. For the spam content, a few hours might be all that is needed to get DNSBLs and other rule-bases (like Message Sniffer) up to speed so that the bad stuff never gets through. Anybody that the server already knows gets right through (subject to normal scanning of course). pulls up flame proof gloves and latches the helmet closed before pushing the send button _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Spam getting through
On Thursday, October 28, 2004, 1:49:25 PM, Andrew wrote: CA No, I haven't seen this. CA But I have meant to ask if others on the list are seeing that their spam CA volumes are up in the last week. I have, by a 10% increase. What I'm CA seeing is not more spam getting to mailboxes, just more spam volume. Viral CA activity has been constant. We're seeing this: Days Ago Adjustments --- 0572 1822 2963 3583 4479 5421 6565 7665 8659 9852 10 683 11 434 12 513 13 652 14 743 15 949 http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp It looks like there was a bit of a lull there. However in the past two days (and today seems headed in that direction) we have seen a pretty big swell in new spam. 963, 822, 572-already today. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Spam getting through
This is a good argument for the delayed-scan-and-deliver feature I suggested previously. The porn guys you are probably talking about we call the mad-lib pornsters. Every day or so they will come out with a brand new set of domains delivering a wide array of porn traffic. Actually, our robots usually manage to pick up quite a bit of it, but they have huge bandwidth behind them so they get quite a bit of content out before the updated rules can go in place. It is obvious they are using disposable domain names. They come in flavors like gbzqrx.info and so on. By the time my customers check their email, forward it to me and then I forward it to Sniffer, it is probably 6-24 hours old. How many millions have been delivered in that time? Ugh... Sheldon --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Spam getting through
PM they have huge bandwidth behind them so they get quite a bit of PM content out before the updated rules can go in place. You're not kidding about the bandwidth. There's a medium-sized hosting center in downtown Tampa that was an offshoot from one of the largest porn websites. Their content aside, they actually had a very good business model for purchasing spare bandwidth from a number of communications providers at pennies on the dollar, then reselling it at lower rates than their competition. They have half a dozen or more providers coming into their building, mostly for blasting out online video, but I'm sure a significant amount of spam comes from there as well. Once we realized who they were, we couldn't use them in good conscience, but we certainly were impressed by their business sense. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Sheldon Koehler [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 2:58 PM Subject: Re[2]: [Declude.JunkMail] Spam getting through On Thursday, October 28, 2004, 1:29:55 PM, Sheldon wrote: SK We have been experiencing the same thing. The spammers seem to be getting SK better at passing filters and probably changing IPs and domains as fast as SK they can be listed in the spam databases. We have some really hard core SK coming to a few users and passing all tests including Sniffer. SK Most of it is porno and they are not failing mailpolice-porn on top of SK sniffer-porn. SK John, the logs are fine, they just do not seem to fail ANY tests. They look SK like a normal email. This is a good argument for the delayed-scan-and-deliver feature I suggested previously. The porn guys you are probably talking about we call the mad-lib pornsters. Every day or so they will come out with a brand new set of domains delivering a wide array of porn traffic. Actually, our robots usually manage to pick up quite a bit of it, but they have huge bandwidth behind them so they get quite a bit of content out before the updated rules can go in place. If email from a previously unknown source (from address IP) were simply delayed for some configurable number of hours before consideration then these mechanisms would be rendered inoperative for the spammers. Users tend not to have an immediate expectation of response on first contact - so the delay imposed will generally not matter for legitimate messages. For the spam content, a few hours might be all that is needed to get DNSBLs and other rule-bases (like Message Sniffer) up to speed so that the bad stuff never gets through. Anybody that the server already knows gets right through (subject to normal scanning of course). pulls up flame proof gloves and latches the helmet closed before pushing the send button _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Spam getting through
This is a good argument for the delayed-scan-and-deliver feature I suggested previously. The porn guys you are probably talking about we call the mad-lib pornsters. Every day or so they will come out with a brand new set of domains delivering a wide array of porn traffic. Actually, our robots usually manage to pick up quite a bit of it, but they have huge bandwidth behind them so they get quite a bit of content out before the updated rules can go in place. Pete, That's a great idea but I'm guessing we could do this with an External program, SQL DB/txt file, and Declude. Scott, Check my logic on this... For the first rule we would run the external filter DELAYSCANANDDELIVER. The external .exe checks the sender IP against the database and either issues exit code 0 (process) 1 (STOPALLTESTS) If the external .exe doesn't find an IP w/ proper timeset offset in the database then it would move the Imail Q.SMD files to a hold folder, add the IP with timestamp to the database. The question for Scott is how would Declude/Imail react when the Q.SMD file disappears during the processing? Is this what you had in mind Pete? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.JunkMail] Spam getting through
On Thursday, October 28, 2004, 3:12:11 PM, Sheldon wrote: This is a good argument for the delayed-scan-and-deliver feature I suggested previously. The porn guys you are probably talking about we call the mad-lib pornsters. Every day or so they will come out with a brand new set of domains delivering a wide array of porn traffic. Actually, our robots usually manage to pick up quite a bit of it, but they have huge bandwidth behind them so they get quite a bit of content out before the updated rules can go in place. SK It is obvious they are using disposable domain names. They come in flavors SK like gbzqrx.info and so on. By the time my customers check their email, SK forward it to me and then I forward it to Sniffer, it is probably 6-24 hours SK old. How many millions have been delivered in that time? Ugh... Luckily we get these in spamtraps almost immediately. If a robot picks it up then the next outgoing rulebase will catch it. If one of us picks it up then there may be couple of hours extra (we don't have a 24-7 Spam-Noc yet) but it will still get nailed soon. As it turns out, throw-away or not these domains get used for quite a while. And, as it also turns out many of them come back to life 6-9 months later after dormancy. (These ones get picked up by our deep scans and reactivated.) It's a tough problem, but a simple delay will go along way toward making these throw-away mechanisms useless. Simply don't listen to anything new until a bit later and the filtering mechanisms will always have time to react (since they listen to everything in real-time). _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.JunkMail] Spam getting through
On Thursday, October 28, 2004, 5:37:13 PM, Mark wrote: This is a good argument for the delayed-scan-and-deliver snip/ MES Pete, MES That's a great idea but I'm guessing we could do this with an External MES program, SQL DB/txt file, and Declude. MES Scott, MES Check my logic on this... MES For the first rule we would run the external filter DELAYSCANANDDELIVER. MES The external .exe checks the sender IP against the database and either MES issues exit code 0 (process) 1 (STOPALLTESTS) MES If the external .exe doesn't find an IP w/ proper timeset offset in the MES database then it would move the Imail Q.SMD files to a hold folder, add the MES IP with timestamp to the database. MES The question for Scott is how would Declude/Imail react when the Q.SMD file MES disappears during the processing? MES Is this what you had in mind Pete? Very close. Actually I'm thinking that the existing overflow queue logic would work well. Simply, if the Have-I-Seen-This test fails then the message is pushed into a DelayedScan queue. Everything older than UserSpecifiedDelay that is in the DelayedScan queue gets put into the overflow queue to be processed - or simply picked up and scanned as if it were. As I understand it, the overflow queue gets scanned as it is put back - so this is a fairly minor trick. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Spam getting through
Check my logic on this... For the first rule we would run the external filter DELAYSCANANDDELIVER. The external .exe checks the sender IP against the database and either issues exit code 0 (process) 1 (STOPALLTESTS) If the external .exe doesn't find an IP w/ proper timeset offset in the database then it would move the Imail Q.SMD files to a hold folder, add the IP with timestamp to the database. The question for Scott is how would Declude/Imail react when the Q.SMD file disappears during the processing? You should see warnings in the Declude log files, as Declude tries to access the file. However, aside from that, I believe that it should work. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
